The Cost of Doing Nothing
In security, some may refute that there is “no savings to worry about” if no investment has been made to begin with, arguing that they’ve been “just fine so far”. In this blog, we will argue there is a cost in doing nothing.
If we were to put a simple dollar amount to it, the cost of a security incident could be upwards of $4 million. A 2019 Ponemon study revealed that the cost of a data breach is $4.88 million dollars.
However there’s more to cost than just a number. In recent years, there has been a global imperative for organizations to take better care of protecting customers — whether it’s their data or their safety. GDPR is a prominent example. Standards aside, the world is also becoming increasingly aware of vendor negligence when it comes to security. Customers are demanding more out of their vendors. From digital ransoms in the healthcare industry to defective software on airplanes, there are several high-profile security incidents today where the largest cost wasn’t only from the checkbook.
- Lost customers. In September 2017, Equifax faced a data breach. Nefarious actors stole customer data, including names, social security numbers, birthdates, and home addresses. Equity research firm, Baird, estimated that at least 143 million customers are affected. The breach was made possible due to a zero-day vulnerability in a popular open source server framework, Apache Struts. In a May 2019 financial earnings call, Equifax disclosed that the cybersecurity incident cost the organization $1.4 billion in incident response and an overhaul of their technology and data security program. This estimate does not include legal costs. Equifax’s Buzz Score — an indication of how negative or positive people feel about a brand — fell 33 points in the first 10 days after the hack was publicized.
- Damaged reputation. During 2013’s peak holiday shopping months, popular retailer Target was breached — 40 million customer credit card accounts, and up to 110 million sets of personal information such as email addresses and phone numbers were stolen. Target is still reeling from the aftermath of its breach. The breach was made possible through stolen third-party HVAC credentials, allowing unauthorized access across the Target network, including their POS systems. Thus far, the breach has cost the retailer $61 million. In 2013, Target had a Buzz Score of 20.7. The year following the data breach, Target’s Buzz Score dropped to a shocking 9.4. The retailer has spent the last 5 years recovering its image. While they’ve managed to win back the trust of their loyal customer base, their Buzz Score in 2018 clocked in at 17.3 — 3.4 less than before its breach.
- Threatened public safety. In July 2015, two renowned security researchers Charlie Miller and Chris Valasek demonstrated in a video the remote hacking of a then newly-released Jeep Chrysler. Miller and Valasek used the OBD-II connector to leverage a zero-day exploit and allow access to the car’s CAN bus. Initially, the hack was received with amusement and humor, with the windshield wipers violently and unexpectedly swishing back and forth. It was entertainment for both the viewers and the driver, until the transmission and brakes were disabled, the vehicle coasting to a stop in a ditch alongside a St Louis, Missouri, highway at rush hour. Consumers grew concerned over their safety. Since the hack demonstration, 1.4 million Jeep Chryslers have been recalled and fixed to ensure the safety of Fiat Chrysler passengers. The demonstration was a cornerstone for cybersecurity. Adequate cybersecurity measures in automobiles grew to become a market-driven demand.
Fuzz testing helps organizations effectively mitigate software security risks economically. Depending on your organizational goals, you may find that one fuzzer is able to deliver more value to your organization. Organizations are encouraged to leverage this framework to understand the overall value they may extract from their fuzzer of choice before purchase.
Want to learn more? Download the Fuzz Testing ROI Framework white paper.