Day: December 4, 2012

Paying for Security, One Way or Another: the South Carolina Example

It wouldn’t make sense for a business with a tight budget to splurge on top-of-the-line firewalls, antivirus, or intrusion detection systems. Overlooking the ultimate costs of a poorly protected infrastructure would be just as senseless, however. When selecting security measures, companies have to be careful to give equal weight to both short-term expenses and long-term risks. Unfortunately, organizations, despite their best efforts, continually underestimate the costs of a low-quality data protection system.

Take the example of the South Carolina Department of Revenue. It would have cost them $5 million to encrypt all of their data; about $200,000 to hire a computer security chief and a comprehensive review of the department’s data protection systems would have been worth about the same. A two-factor authentication system would have put them back $25,000. The South Carolina Division of State Information Technology could have provided them with an intrusion detection system for free. With the exception of the free option, most people would find their reluctance to invest in data security during an economic downturn understandable.

In August 2012, however, a hacker stole the username and password of a Department of Revenue’s employee through a malware-containing email. The cybercriminal gained entry to the department’s computing systems, which did not have a two-factor authentication system, which would have prevented the unauthorized access. The hacker used the employee’s account to install additional malware, obtain more usernames and passwords, and peruse the department’s infrastructure. An intrusion detection system would have alerted system administrators to the unauthorized user’s suspicious behavior before anything valuable had been stolen. But the hacker continued to work undetected for about a week before gaining access to the department’s payment processing server. A week later, the cybercriminal transferred 8.2 GB of compressed data (74.7 GB uncompressed) to an external dump site, again without detection. The department’s aversion to a $5 million encryption process meant that most of the data the hacker had stolen was completely unencrypted. The Department of Revenue finally learned about the data breach a month later—and only after being notified by a separate government agency.

With the benefit of hindsight, the costs of data security measures no longer seem unreasonable. A free intrusion detection system may have stopped the hacker before any damage could be done. Furthermore, a $25,000 two-factor authentication system would have prevented this kind of attack, and a $5 million encryption system would have removed the possibility of data loss altogether. Instead, the South Carolina Department of Revenue has been forced to reckon with:

-Loss of 3.8 million tax returns (including Social Security numbers), 699,900 business tax returns, and 3.3 million bank accounts data

-Having to pay taxpayers $12 million for a free year of credit monitoring

-Also having to pay an additional $2 million for the immediate response to the breach (involving IT security experts, lawyers, and public relations firms)

-The resignation of the Department of Revenue Director Jim Etter

-A class-action lawsuit could cost the state government up to $3.7 billion

In addition, to prevent another data breach from occurring the Department of Revenue has also been forced to pay $5,025,000 for the encryption process and a two-factor authentication system that it originally chose not to implement. These costs pale in comparison to what would happen if a private sector organization experienced such a breach, however.

South Carolina’s Department of Revenue has very little in common with the average business: not only does it have no competition, but “customers” that fail to send it their tax returns and bank info get hauled off to jail. With a data breach involving a private sector organization, however, customers could withhold their business or switch to a competitor to punish the company for failing to protect their information, costing businesses hefty chunks of revenue.

The South Carolina incident demonstrates how the long-term benefits of security measures outweigh their immediate costs. IronOrbit, on the other hand, goes to show that businesses can obtain an IT infrastructure with great performance, reliability, and security, without paying anywhere near $5 million. IronOrbit, an all-in-one cloud-based infrastructure, has a patented data defense system called Orbital Security that protects data at all levels: at the data center, in transit, in storage, and in use. Its security measures include firewalls, patch management, antivirus, content filters, data encryption, and intrusion prevention and detection systems. Sign up now for IronOrbit’s high-performing, totally-secure IT infrastructure.