We will spend $75.4 billion on information security in 2015 according to Gartner Group's September 2015 report.i Well-publicized data breaches and government initiatives are mentioned as key drivers, at the macro level, for the information security market's projected compound annual growth rate (CAGR) of 7.4% through 2019.
At the micro level, signs that point to the need for cybersecurity investment are that your company or organization:
1. Fails to keep its promises.
The Snapchat ruling by the FTC underscored that companies must practice what they preach or promise when it comes to policies surrounding data collection and disposal.ii And if your brand identity is closely associated with a cute animal like Target's Bullseye, customers may take disappointment in misplaced trust even more seriously and personally (adding a kind of dog bites man insult to injury).
2. Partners with others.
Although the weakest link analogy may be overworked, it is no less valid. Trading partners (e.g., supply chain vendors, contract team members, clients, service providers) who take security concerns lightly may prove to be the chink in your company's cyber armor.
3. Has a current or prospective vendor relationship with a federal agency (either as a prime or subcontractor).
Even if your company is not providing outsourced data processing services to the federal government and thus beholden to NIST SP 800-53 guidelines, the Office of Management and Budget (OMB) has released draft requirements that those federal vendors whose systems process controlled unclassified information (CUI) "incidental to contract performance" must comply with NIST SP 800-171.iii
4. Recently acquired a company that has no effective security policy in place.
Part of your due diligence before acquiring a company is to understand what information and physical security mechanisms and policy currently exist, as well as current policy and practices on document and information collection, retention, and destruction. An enforceable policy is written clearly, understood and acknowledged by staff and other trusted system users, applied fairly, and believable (that is, penalties for noncompliance are appropriate and enforceable). A useful checklist for these and other concerns related to due diligence is available online from Grant Thornton LLP, "one of the world’s leading organizations of independent audit, tax and advisory firms."iv
5. Is a humanitarian, educational, faith-based, or nonprofit organization.
Trust but verify. Organizations that promote social welfare may tend to neglect the second part of this prudent counsel. I have witnessed enough trust-by-default practices in such organizations to convince me that any organization with privileged information about donors, supporters, students, parishioners must practice due diligence to the same degree as any for-profit organization. A Senior Fellow from the Brookings Institution summarizes some examples of unintended consequences of exuberant trust and insufficient cyber security investment.v
6. Lacks or has limited internal IT personnel resources.
Managing a secure enterprise takes more than technology; it takes people (end users included) who are trained, observant, and a bit skeptical of email messages that are too good to be true. The 2015 Data Breach Investigation Report notes,"60% of incidents were attributed to errors by systems administrators."vi
7. Follows a bring your own device (BYOD) or relaxed mobile device use policy.
A Ponemon Institute study released in 2014 calculated the per-device cost of malware infection as $3,903. Seventy-five percent of those surveyed were at companies with more than 1,000 employees worldwide.vii Laptop compromise is still much more disturbing than smart phone compromise.
8. Experienced a data breach.
Yes, lightning can strike at least twice if you are insufficiently vigilant. (Just ask Sony or Expedia!) And, if your customer information has been compromised, it is possible that fraudulent customer credentials are available for use by the unscrupulous.
9. Shows degraded network performance or an unusually high volume of network traffic.
Just as with a personal computer, unusually slow response time when using your company's information resources can indicate that background processes are running. These can include malware being downloaded or botnet activity.viii
10. Relies on legacy and/or undocumented systems.
Ignorance may be bliss, but it can also be costly. Many legacy systems, including those used by state governments and utility companies, were never intended to be accessible over a party line, which is, essentially, what the Internet is. (For those too young to remember, a party line was a telephone line shared by multiple service subscribers who would negotiate when to make calls or just casually eavesdrop on others' calls. Reality TV shows provide similar entertainment value.) One contributor to the 2015 DBIR cautioned against the danger of publicly accessible FTP servers used to share information about individual tax, military service, and health; proprietary software; licensing and partnering agreements; and privileged account access.ix
The above list is not exhaustive, needless to say. Obviously, those companies that are subject to industry-specific regulations like HIPAA, PCI-DSS, and FISMA must show reasonable effort in their cybersecurity investments. It's no wonder that articles about investing in cyber security companies are so prevalent!
iElizabeth Kim, Christian Canales, Ruggero Contu, Sid Deshpande, & Lawrence Pingre (8 September 2014). "Forecast Analysis: Information Security, Worldwide, 2Q15 Update. Retrieved from https://www.gartner.com/doc/3126418
iiIn its case, the FTC suggested that lax security allowed hackers to siphon off 4.6 million usernames and phone numbers.Federal Trade Commission (8 May 2014), "Snapchat settles FTC charges that promises of disappearing messages were false" (Press Release). Retrieved from https://www.ftc.gov/news-events/press-releases/2014/05/snapchat-settles-ftc-charges-promises-disappearing-messages-were
iiiSusan Cassidy and Alex Sarria (12 August 2015), "OMB issues new draft cyber guidance for contractors," Inside Government Contracts. Retrieved from http://www.insidegovernmentcontracts.com/2015/08/omb-issues-new-draft-cyber-guidance-for-contractors/
ivSee Grant Thornton and Dykema, "Comprehensive M&A due diligence checklist for buyers." Retrieved from http://www.grantthornton.com/staticfiles/GTCom/Advisory/Comprehensive%20M&A%20due%20diligence%20checklist%20for%20buyers.pdf
vElizabeth Ferris (2 June 2014), "Why humanitarians should pay attention to cybersecurity," Brookings. Retrieved from http://www.brookings.edu/blogs/up-front/posts/2014/06/02-cybersecurity-humanitarians-ferris
viWade Baker et al. (13 April 2015), "Verizon 2015 data breach investigations report." Retrieved from http://news.verizonenterprise.com/2015/04/2015-data-breach-report-info/
viiPonemon Institute (March 2014), "The cost of insecure mobile devices in the workplace. Retrieved from http://www.ponemon.org/local/upload/file/AT%26T%20Mobility%20Report%20FINAL%202.pdf
viiiSorin Mustaca (25 November 2014), "10 signs your business should invest in IT security," Improve your security. Retrieved from http://improve-your-security.org/2014/11/25/10-signs-your-business-should-invest-in-it-security/
ixWade Baker et al.