“We’re really, really sorry for the PlayStation Network outage” is, apparently, the gist of the Sony announcement on this issue. I guess it’s also, in essence, the message of the US organisations which experienced the 662 data breaches in 2010, exposing more than 16 million records (adding to an astonishing 480 million other records exposed in the US since 2005). These statistics are quoted in the just-published Ponemon report, together with the equally interesting finding of the CSO CyberSecurity Watch 2011 Survey, which found that 81% of respondents had experienced a data breach in the last 12 months.
Is ‘really, really sorry’ enough? When you look at the recent spate of hack attacks – Sony, Nintendo, Lockhead Martin, Google’s Gmail – you have to conclude that there are lots of people out there who like breaking into networks – and you probably also have to conclude that there are lots of organisations out there who don’t care enough about the personal data with which they’re entrusted to take adequate steps to look after it.
Let’s think about it for a minute. If you live in a neighbourhood where casual crime is rife – people popping in through windows left open, slipping in through front doors left ajar, and likely to make off with your car if you leave it in the street with the keys in the ignition – what would you do? Yes, you’d probably start locking doors and windows and stuff like that.
Well, if you have a website, you’re in a tough neighbourhood – called the Internet. And what’s the Internet equivalent of locking your doors? It’s patching vulnerabilities in your websites. And how do you do that? You deploy a penetration test – straightforward, easy to do – and then you fix (what’s called remediation) the security holes that are identified.
And how much does a penetration test cost? It does depend – but for the average website, it will cost marginally less than £2k – and is £2k a better investment than the millions that a successful breach might cost you? (The Ponemon report estimates that the average data breach costs USD 7.2 miillion).