When I talk to CEOs and CFOs, I frequently hear about how a devastating cybersecurity attack could cause huge losses: They see banner headlines about ransomware that cripples organizations and massive data breaches that spill tens of thousands of customer records across the dark web.
I get it. Home Depot’s point-of-sale system breach in 2014 cost it about $200 million, and this year, the ransomware attackers who took over computer maker Acer’s network demanded $50 million. Leaders don't want their companies splashed across the news or to end up the defendant in a class-action lawsuit.
First, I provide a list of precautions to hopefully head off a devastating attack. Then, I tell them they’re ignoring what is likely a bigger cybersecurity problem: death by 1,000 cuts.
The term originates from a form of execution in which the victim bleeds out from many small cuts over an extended period of time — clearly a more insidious form of capital punishment than a one-and-done method. CFOs might prefer, “Watch the pennies, and the dollars will take care of themselves.” Whatever your chosen analogy, my point is that a drawn-out series of small losses can leave you just as debilitated as one big ransomware payout.
Consider expense report fraud. There’s lots of room for abuse here, especially in companies that don’t require receipts for expenditures under, say, $25. This fraud slowed somewhat in 2020, when business travel ground to a halt, but expect a resurgence. A 2018 study by the Association of Certified Fraud Examiners found that expenses drove 21% percent of fraud in businesses with fewer than 100 employees.
The remedy is to require receipts for each and every expenditure, no matter how small. This itself is costly in the time required for employees to document, and accounting to process, each cup of coffee or Uber ride. However, many organizations I work with see enough small fraudulent expenses that they add up to major losses — if you have 300 workers and half of them fudge $100 or so in expenses over a year, you’re out $15,000.
Other examples: Simple paper timesheets are cheap, but people abuse the system, so companies invest in software that tracks time and effort in ways not easily gamed, like using GPS tracking and detailed project logs. Restaurants make great efforts to track the amount of alcohol sold and measure pours down to the ounce, despite the burden, because one free shot is nothing, but a night of double pours halves profits. Salespeople job-hop and take customers with them, so companies go to lengths to keep contact information within a CRM and enforce use of a company smartphone and email account.
In my last column, I talked about how CFOs can get their security team or provider the resources needed to protect the company in alignment with its appetite for risk. Now, you need to think about quantifying the value of controls that might appear unnecessary. It’s hard to prove a return on investment when nothing, apparently, goes wrong.
In truth, things do go wrong, but you don’t notice. Or losses, in a vacuum, seem so small that it is not worth attempting to mitigate them. Two poached customers. Expense fraud of $10,000 or $15,000 annually. A bartender who overserves big tippers. These are your 1,000 cuts.
In cybersecurity, it is likewise easy to lose sight of how a seemingly pricey countermeasure saves money. For example, passwords create a lot of small cuts. Weak passwords get compromised in phishing attacks or reused on other sites. You end up with isolated virus incidents. Create rules requiring complex, frequently-changed passwords, and they get forgotten or written on Post-It notes. The admin team has to lock accounts, unlock them, reset and investigate spot infections. The cost for each touch is not devastating, but again, over time, it adds up. Just as importantly, if someone compromises the “right” password, such as someone with access to HR data, you could have a major problem.
Multi-factor authentication (MFA) is a solution to the password problem, for example. MFA can also be expensive and difficult to roll out for large companies with lots of applications. It does, however, eliminate most email-related problems. And, you might have MFA capabilities available for free in some of your software, such as Microsoft Authenticator in Office 365. Business software-as-a-service applications often require two-factor authentication for administrator and other highly-privileged roles and enable it for all users. Training and enforcement is worth the money.
As you consider your security budget, factor in sources of your 1,000 cuts and how they can be mitigated. Ask your IT team about the annoying cybersecurity issues that constantly arise and drain their time. These small annoyances add up.
Ira Winkler, CISSP is CISO for Skyline Technology Solutions and author of “You Can Stop Stupid.” By day, he performs espionage simulations and assists organizations in developing cost-effective security programs. Ira won the Hall of Fame award from the Information Systems Security Association, as well as several other prestigious industry awards. CSO Magazine named Ira a CSO Compass Award winner as The Awareness Crusader.
Ira is also author of “Corporate Espionage,” the bestselling “Through the Eyes of the Enemy,” “Advanced Persistent Security,” “Spies Among Us” and “Zen and the Art of Information Security.” He writes for a variety of industry publications and has been a keynote speaker at most major information security events.
Ira began his career at the National Security Agency and went on to serve as president of the Internet Security Advisors Group, chief security strategist at HP Consulting, and director of technology of the National Computer Security Association. He was also on the graduate and undergraduate faculties of the Johns Hopkins University and the University of Maryland.