For two decades most malware, and even hackers, didn't do anything especially harmful. They were more of a nuisance than a business threat. But now the landscape has changed. Most malware and malicious hackers are criminally motivated. Foreign hackers have likely stolen a substantial amount of the world's private intellectual property. Most people's identity and financial information has been stolen. Almost any network can be broken into at will. Most networks are already actively broken into and the intruder has full access and control of it.
In the past few months, we've seen several companies lose hundreds of millions to potentially billions of dollars: Sony, RSA, and so on. Hackers (such as WikiLeaks) have released top secret information into the public domain, and malicious hackers are directly attacking their pursuers. The campaigns against companies are so devastating that I'm now calling them reputational-level attacks: One assault can ruin your company's good name, turning it from something respectable into a punch line. It has happened, and it will continue to happen. We are in a new computer security world now.
Senior management needs to understand that the old cost-benefit models no longer apply. The security paradigm has shifted. What IT has been worrying about all these years has come to pass.
What to do? Senior management should ask its IT security department to come up with a list of everything that needs to be improved or fixed. Rank the risks from top to bottom and get to work on fixing them now, starting with the biggest risks first. Put less stock in exotic, superadvanced solutions and concentrate on improving the basics: better end-user education, better patching, better software design, default encryption, along with least privilege everything.
We know what we need to do. We just need to start doing it better, and do it better now. The cost of not doing anything different is too high.
This story, "The cost of bad security is higher than you think," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.