Should your business holiday season preparations include a pentest?
by Security Centric, on 10/09/2020 11:17:42 AM
For many businesses who transact online, the holiday season brings with it an increased spend from consumers. For some, it’s their peak earning point of the year. Unfortunately, this increase in online transactions means a corresponding increase in risk of malicious actors doing their very best to get a piece of the action.
Businesses with online payment platforms are highly targeted during the holiday season as criminals know that this will result in the biggest impact on revenue if they’re compromised, and are then more likely to offer the biggest payout as organisations look to get back up and running as quickly as possible.
eCommerce applications are more complex than you may realise at first glance, at a minimum they include back end content management systems that allow admins to add, edit or delete products, pricing, offers, shipping rates etc. The eCommerce system is usually also integrated via API’s with re-sellers, content providers, partners, marketing tech, and more. This complexity leads to information security vulnerabilities that need to be assessed by certified specialists in order to help prevent data breaches.
Preventing breaches is absolutely an important aspect due to both the obvious short-term monetary risk, as well as the long-term reputational risk. But is it a worthwhile investment for your business? We often see the figures reported as costing tens if not hundreds of millions per breach. However, that often isn’t realistic for most small-to-medium enterprise organisations.
To better understand the impact to your business, let’s look at how you would calculate the cost of a data breach for your business. To arrive at a number, you need to look at the impact to the business across:
Business downtime if systems are compromised
Downtime can be a result of various attacks, but ransomware is particularly effective at this and very prevalent this year. According to the OAIC, breaches involving ransomware are up almost 250%.
No doubt you’ve seen the headlines involving the likes of Toll Group, Garmin, CWT, Cannon, Regis Aged Care and Brown-Forman just to name a few. In many cases the businesses were down for a week or more and some even paid multi-million dollar ransom fees just to get back up and running sooner.
Ignoring the ransom costs, what does a week of downtime mean cost your business in revenue loss during the busy period?
Loss of goodwill and reputational damage
According to Bitdefender, 43% of Australians will hesitate to do business with the breached entity for several months, and the same amount (43%) will never return. Which is quite different to the US for example where 83% of consumers claim they will stop spending at a business for several months immediately after a security breach and 21% will never return to that business.
Cost of forensic investigation and remediation activities
After a breach you need to make sure that the attacker isn’t still dwelling in your environment or has left a backdoor, so forensic investigation is required. From our experience providing these services to clients, this typically costs in the tens of thousands, or more depending on the state of the environment and scale of attack. A similar cost is incurred for remediation of the environment to help prevent these types of attacks in the future.
Legal costs from potential lawsuits
While legal cases aren’t as extreme in Australia as other parts of the world, precedent is now being set for regulatory bodies taking companies to court over failure to manage and respond to data breaches effectively. ASIC has taken RI Advice Group to court for cyber security failings that led to its systems being compromised by ransomware on multiple occasions.
Can you afford to deal with those potential impacts during the holiday season?
A penetration test is a considerably cheaper option when compared to the cost of a breach. Most eCommerce businesses generally leave scheduling their penetration tests until the final moments before the holiday period, often making it difficult to secure security services due to high demand. To ensure the maximum possible risk reduction, consider timing your tests early to be ready for the holiday season requirements.
Some businesses may also want to combine their penetration test booking with getting on top of their compliance or risk assessment requirements to further reduce risk and save on service costs prior to the busy season.
Want to know more about how a penetration test can keep your business secure? Contact Us to book a no-obligation chat with a Security Centric business security advisor.