By Bal Heroor, CEO and Principal at Mactores
It’s easy to forget about cybersecurity risks in good times. These are the moments when organizations, stakeholders, and investors are led to believe that the cybersecurity risk exposure facing a business is negligible or easily manageable. Such a prevailing sentiment then pushes stakeholders to focus on other business aspects and treat cybersecurity as only an afterthought.
Yet, failing to protect against cybersecurity risks can be extremely costly for all companies. According to recent research, companies that fall prey to a cyberattack see their stock value decline by 7.27 percent on average, with finance companies taking the largest hit.
What’s more, all these security breaches share a common theme, where organizations are trusted with sensitive personally identifiable information (PII) and believe they have their cybersecurity risk exposure covered. Yet many fail to defend against the growing cybersecurity threat landscape.
Calculating the cost of a data breach
How exactly does a data breach incident affect an organization’s value? According to the IBM Data Breach Report 2022, which evaluated over 550 business impacts across 17 countries in the last year, 83 percent of the organizations fell prey to at least one data breach incident. The global average data breach cost was $4.35 million (and $9.44 million for U.S.-based companies). What’s more concerning is that it took these organizations an average of 277 days to identify and contain the breach damages.
Here are the key cost breakdowns for a typical data breach incident:
- Business Disruption and Revenue Loss: These costs are incurred due to system downtime, loss of user base, and the opportunity cost of halting operations while the organization identifies, resolves, and manages the impact of a data breach incident. The IBM data breach report divides these costs into four segments: lost business cost ($1.42 million), detection and escalation ($1.44 million), post-breach response ($1.18 million), and notification of incident ($0.31 million).
- Legal and Regulatory Compliance: Legal implications of a cyberattack vary by industry and the geographic location of the organization – the cost of a data breach for organizations affected in high data regulation environments is three times as compared to organizations operating in low regulation environments. Recent regulations such as the GDPR in the EU have additionally imposed fines of over $20 million for compliance violations that lead to a data breach incident.
- Intellectual Property Loss: Trade secrets and intellectual property are a primary means of creating value for a business organization. If a data breach involves the risk of exposing sensitive trade secrets, repercussions can stretch well beyond direct financial losses. Trade secrets theft costs U.S. businesses somewhere between 180 to 540 billion annually, without accounting for potential lawsuits.
- Brand Reputation and Diminished Goodwill: Customers expect organizations to keep their personal information safe. If organizations can’t ensure data security, customers will simply switch to a competitor. Any violation of customer trust, based on inadequate security mechanisms or false branding, affects the goodwill associated with the business and repeat customer metrics.
- Post-Crisis Investments: Once an incident has been identified and contained, organizations need to spend resources to manage the impact and prevent similar incidents in the future. These costs include investments in audits and forensic activities, crisis management, PR costs, and financial compensation to the affected stakeholders.
Mitigating damages through access control
In the event of a cyberattack, proper access control mechanisms can limit the damages incurred and decline in a company’s value. If an attacker can only access a segment of the organization’s system, as opposed to gaining unlimited access, the breach will likely be less severe.
Generally, access control mechanisms are intended to prevent outsiders from gaining unauthorized access to organizational data. If admin privileges are poorly monitored, or extended to too many employees, an organization is both more vulnerable to an attack and more susceptible to higher losses if an attack does occur.
Data assets and IT resources are typically protected against unauthorized users through advanced access control models. Traditional access control models such as Role-Based Access Control (RBAC) allow users to access information based on their roles or positions within the organization; employees are only granted access to the data they absolutely require to perform their duties.
However, many advanced analytics use cases require IT services and cross-functional teams to access information assets and technology resources with disparate policies. In order to maximize the value of analytics technologies, organizations need an access control mechanism that allows the flexibility to enforce unique and custom access policies without exposing the platform to data breaches through vulnerable access control models.
A modern alternative to static access controls with the RBAC model is to use policy-based models that enforce controls using dynamic attributes and parameters. The Attributes Based Access Control (ABAC) model, for instance, assigns the privilege of least access based on a range of attributes such as the entities, operations, actions, context, subject, and environment parameters involved. When an access request is generated, the ABAC system verifies the request against all constraints applicable to these attributes. Only the requests satisfying all attribute constraints are fulfilled.
These attributes can represent a rich set of features and semantics to model access controls for unique and custom user profiles and services. Instead of redefining roles or creating new user roles with overlapping and duplicate requirements, potentially leading to unauthorized permission leakage, ABAC provides a flexible mechanism to meet evolving access control needs.
Whether your organization relies on the traditional RBAC model for Identity and Access Management (IAM) or the next-generation of policy-based models such as ABAC, modern big data applications require organizations to maintain an optimal mix of flexibility and heightened security controls – especially when modern data analytics use cases engage a diverse set of roles, users, and IT services with dynamic needs for information access.
Bal Heroor is CEO and Principal at Mactores and has led over 150 business transformations driven by analytics and cutting-edge technology. His team at Mactores are researching and building AI, AR/VR, and Quantum computing solutions for business to gain a competitive advantage.