Why virtual network breaches cost more and how to mitigate the higher risk
Businesses pay twice as much to recover from a security breach on virtual infrastructure than breaches on physical networks.
Does this mean companies should shut down their virtual networks? Even if that were possible, it’s not practical. But according to a recent survey, companies can mitigate some of the higher risk of virtual network breaches if their IT personnel possessed a better understanding of how to protect these networks and how to be prepared for disruptive incidents.
A survey released recently by Kaspersky Lab, titled “Security of Virtual Infrastructure,” found that, on average, small and medium-sized business (SMBs) will spend roughly $73,000 on recovery costs of a security breach on a virtual network, compared with $34,000 when the breach occurs on non-virtualized infrastructure.
The discrepancy is similar when attacks occur in large enterprises, only the costs involved are much larger. The average cost to recover from an attack on physical networks is about $454,000, but more than double — $942,000 — when it happens on a virtual network.
The irony is that moving toward virtualization is designed to reduce IT expenses and streamline operations. That explains why, according to the survey, 62 percent of businesses use virtualization in some form, with the most popular platforms being VMWare, Microsoft and Citrix. That percentage jumps to 77 percent for companies with 1,500 employees or more.
Yet despite the rapid deployment of virtual technology, only about half of respondents believe their organizations are fully prepared to deal with security risks in a virtual environment, and just over half feel they even understand the risks. This lack of understanding and preparedness causes much of the additional cost of recovery from data breaches, according to Kaspersky.
The survey demonstrates another example of how rapid adoption and deployment of new technology to meet growing business needs rarely takes security measures into account. While companies have established security and disaster recovery plans for physical networks, they tend to limit virtualization projects to the virtualization itself and ignore or postpone the other vital measures.
Training on proper use of virtual networks and security procedures should be as much of a priority as implementation. In its survey report Kaspersky researchers concluded: “…businesses are excited to adopt virtual infrastructure. But the industry’s understanding of this technology, especially virtual-specific security issues, is far from perfect.”
About 42 percent of respondents believe virtual environments are safer than physical ones, when in fact the former bring unique risks. For example, there can be a window of vulnerability between the time a virtual machine is spun up and anti-virus software is updated.
Yet a whopping 73 percent are not using specialized IT security solutions for virtual networks, and 34 percent are not even aware that there’s a difference between security solutions for virtual and physical environments.
What’s perhaps most alarming is that despite the lack of understanding and preparedness regarding virtual networks, they are often used for a company’s most mission-critical, high-value processes. The following chart shows just how much companies rely on virtual infrastructure. The Kaspersky survey asked respondents if certain consequences would occur should hackers breach either their physical infrastructure or virtual networks.
In each hypothetical incident, more companies are impacted from a breach on a virtual network than on a physical one. This partially accounts for why the cost of recovery is so much higher; when the virtual network goes down, a large portion of operations can grind to a halt. This makes data breaches more than just an IT risk; they become a threat to the company’s overall business goals.
Another likely reason why virtual breaches are twice as costly, though not mentioned in the Kaspersky survey, is virtual machine (VM) sprawl, defined as the unchecked growth of a virtual environment. VM sprawl is caused by unplanned creation of VMs and rogue VMs that get lost in the daily operations. Sprawl is especially problematic in large organizations and it usually happens over time, making it difficult to recognize.
To address these problems IT personnel should be trained in the knowledge that virtualization can require different security solutions than traditional environments, and educated in what those solutions may entail. Companies also need to consider security and disaster recovery from the beginning of the process toward virtualization.