Security training is never in vain
Lefty Gomez, the famous 1930s baseball player, is credited with coining the phrase “I’d rather be lucky than good.” But when it comes to cyber security, the overwhelming majority of organizations seem to be all out of luck. The UK Government’s annual Infosecurity Breaches Survey 2015 found that 90% of large enterprises, and 74% of SMEs had suffered a breach – an increase of 81% and 60% respectively compared with the previous 12 months.
And the average costs of those breaches increased sharply too, for all sizes of business. For organizations employing over 500 people, the ‘starting point’ for breach costs – which includes elements such as business disruption, lost sales, recovery of assets, and fines & compensation – was $2.1 million, up from $870,000 in 2014. For SMEs, the starting point was $110,000. These figures show that firms are paying a heavy price for being ‘unlucky’ with their security.
So if luck isn’t protecting against cyberattacks, maybe organizations need work on getting better at preventing them, and at being quicker to respond when an attack does happen. However, recent research by the SANS Institute into the incident response capabilities of companies worldwide found shortfalls in terms of readiness: 43% of respondents did not have a formalized incident response plan, and more than half stated they did not have an formal incident response team in place. No surprise, then, that just 9% described their incident response capabilities as ‘very effective’. The reasons were familiar: lack of time to review and practice procedures (62%).
This means that in most organizations, IT and security teams have the tools they need to protect networks and data, but are insufficiently practiced in how to use them to best effect — especially during an attack. They haven’t developed the ‘muscle memory’, the trained, automated actions that shorten response times and bolster defenses.
The SANS research also found that lack of budget was cited by 60% of respondents as a reason for not developing and refining incident response plans. Yet look again at those starting-point breach costs earlier: investing a fraction of those costs in cyber security testing and training would significantly reduce the frequency and impact of successful attacks.
This is a key point made by Ixia CEO, Bethany Mayer, in her recent article for SC Magazine. Bethany looks at the importance of repeated cycles of testing networks and training staff at every stage, from initial network deployments, through everyday processes, to realistic cyberattack scenarios. Regular testing and training helps all staff – from security and IT pros to regular employees – to become more security-aware and to recognize anomalous activity they might otherwise miss.
As Bethany’s article points out, even the best athletes don’t go into a competition expecting to dominate; they've practiced for months on end to make sure they are ready as they can be for any eventuality. It’s the same in cyber security: a little luck is always welcome, but good training is never in vain – it can make the difference between successfully thwarting an attack, and falling victim.