By Geoff Hancock
It has been announced ad nauseam over the past few years the impact of a cybersecurity breach to executives and how executives need to take a more active role in managing cyber risk. When you look at the cost of a breach in 2017, you will find a broad set of estimates. According to a Ponemon Institute report, in 2017 it was estimated the cost per breach at $3.6 million (globally), and in the U.S. over $7 million per breach.
Consider the top five most significant expenses that a business has to manage after a breach.
In 2017 the Ponemon Institute reported it takes more than six months for an organization to find out they have had an intrusion and another 55 days to contain it. Remediation does not necessarily mean the attack has been completely stopped, either, as some attacks remain dormant and undetected.
Loss of customers
Once a customer experiences the impact of a data breach, the likelihood of continuing to buy goods or services from that company stops or drops off significantly. Once a customers’ trust is lost, it takes some time to recover, if at all, as was witnessed with the Target breach and the more recent Equifax breach.
[Cyberhub Summit is Coming back to Atlanta, Ga | October 9-10, 2018 - Cyber Security education for executives and business owners, Exclusive Dinner and Powerful Networking. | Get the latest from Cyberhub Summit by signing up for their newsletters. ]
Business disruption can account as much as 40% of external costs. This includes costs that impact business process failures and loss of employee productivity. If a business gets disrupted during holidays or other busy season, the disruption could affect more than half of the annual revenue.
Companies today store and use a variety of customer data. Different types of information are subject to various standards and requirements. Violations of these can draw fines from the FCC, HHS, FTC and other regulatory agencies.
A breach causes harm to an organization's brand and reputation, including its relationships with its partners and vendors, contact with the media, and diminished goodwill. Usually, a public relations call center will need to be established to keep the media, victims, stakeholders, and employees informed of the aftermath.
The average cost for a stolen document containing confidential and sensitive information in 2017 was $141 per record according to the Ponemon Institue. On average over 7 million records are stolen per breach.
Direct financial or intellectual property loss
When attackers are on your network, they can conduct wire fraud or simply adjust what you have on your balance sheet. Or they could merely steal your IP and sell it on the black market or through international marketplaces.
Hackers’ motives—Why you?
The motives of hackers (be they individuals or nation states) can vary widely. Some target your financial information; others want to steal your intellectual property. Still others want to leverage your supply chain, gather information on executives’ behaviors, or gain data regarding corporate Merges and Acquisitions. The challenge for executives is both technical and human. The solution involves making sure you know what the most critical data is in your organization, how it's secured, and who has access.
What areas are most vulnerable?
Determining the high-risk areas in your business helps the executive team understand how the ebbs and flows of the company can increase or decrease cybersecurity risk.
When a new vendor joins your supply chain, will they have access to business systems? Do their business processes operate with a high level of security awareness? Do they manage their technology in the most efficient and secure way possible? What about customer-facing product or marketing programs? Do they expose the organization or the customer to unnecessary risk?
Having a prioritized list of business functions and dependencies will help everyone identify areas of vulnerability and what everyone can do to protect it. From human resources to legal to logistics, everyone has a part to play when identifying areas of the company that is at highest risk.
Compliance vs. operational security
PCI-DSS, HIPAA, COBIT and other standards (total of 21 globally) are essential. They set a standard of care for certain types of data to which your organization has access. However, this only gives a snapshot view of how the data is secured.
Operational security is the day-to-day actions of your business interacting with technology. When an IT system patch is published, does your team get it done within 24 hours? Do your employees know how to avoid phishing emails? Do they have—and change—padded passwords?
These are just a few of the examples of tasks and behaviors that go on inside your company that will never be impacted by a compliance mechanism. However, these are the areas of most significant vulnerability. How your company uses this information, how your IT systems are managed, and how your employees are trained to interact with this data is critical.
We recommend the following questions for CEOs and Boards:
Protection of key information assets
- Do we know what our most important data is?
- How is that data protected?
- Who has access and why?
- Do we have an Incident Repose and Crisis Management Plan?
- Do we practice that plan regularly?
- Do we have an understanding of how the company’s reputation, share price, image, etc. would be impacted if we were breached?
Who would want our information?
- Do we have a corporate threat model in place that outlines the why and how an attacker would come after our company?
- Are we getting updates on key bad actors and breaches across our industry or from our suppliers?
Do we have a proactive plan to manage Enterprise Cyber Risk?
- Do we have a written security policy in place for all employees?
- Does our technical team have a prescriptive and audited process for keeping our systems up to date and secure?
- Do we have adequate and regular security awareness training for all staff, and specialized training for staff who have specific responsibilities regarding our most critical data?