The average security breach costs between $3 million and $5 million. That's the alarming word from a new report on the importance of cybersecurity on enterprise IT from BDNA, a Mountain View, Calif.-based IT data intelligence provider.

The findings are part of a quarterly State of the Enterprise report that covers issues affecting enterprise IT, including security and asset management.

In addition to the costs of a security breach, the report makes a number of other bold and unsettling observations.

In fact, it notes that any organization with data almost surely has hackers sniffing around the premises as well.

A Big Appetite

Cybercrime has changed. In the past, it focused on disrupting services or stealing intellectual property. Now it's almost always about stealing data. This change has had a profound impact on companies.

Now any firm, large or small, public or privately-held, is a potential target of hackers. Why? Because "illicit black markets, the so-called 'dark 'nets,' exist for every type of data imaginable." As BDNA noted, "if it can be collected, someone has likely determined a malicious way to obtain it and use it."

For this reason, companies worldwide are spending big bucks on information security. How much? Close to $71.1 billion in 2014, an increase of 7.9 percent over 2013, according to Gartner.

With no sign that the volume of malware will decline or the need for security spending will diminish, companies need to shore up their defenses.

BDNA suggests taking what it calls a foundational approach to security.

"Many cyberattacks – including 2014’s epic “Bash” and “Heartbleed” – exploit security holes in out-of-date software that is no longer supported by its manufacturer," it noted.

It advises organizes to address such issues on an automated, enterprise-wide basis.

Catch Problems

Automated, continually updating asset data will ensure that software nearing its end of life date is reliably tracked, it noted. In addition, it can be appropriately flagged, "giving enterprises ample time to migrate to new software before becoming vulnerable," the report stated.

It cited the example of a client who was infected when Bash began to infiltrate companies in late 2014. The client, a Fortune-50 firm, used an automated discovery tool to identify within minutes all 24,000 installs of Bash.

"Nobody knows where the next security vulnerability will arise, but what’s crucial for any organization is having the information – knowing the contents of the enterprise inside and out – and being able to leverage that data quickly and effectively, when it counts and before damage is done," said Walker White, president of BDNA.

Theory vs. Reality

This may be easier said than implemented. Larger companies, for instance, still tend to have IT and data silos, no matter how much effort has been put into integration over the years.

But even if those remain, a common IT language and automated asset management system can help. They can provide a foundation of transparency that helps the company when it has to manage unexpected events such as data breaches.

"The average security breach costs between $3 million and $5 million, but putting foundational IT solutions in place is a key step toward insuring against not only the financial risk of an attack, but the incalculable damage one can do to an organization," White said.

According to BDNA’s report, before an enterprise’s potential threats can be assessed it must:

  • Understand that the nature of cyber threats themselves is evolving
  • Get out in front of threats before they become an issue
  • Implement an enterprise-wide common IT language enriched with asset data
  • Have clean data that provides insight into the system’s contents and architecture
  • Fight against the tendency to work in silos