Is Your Company Prepared for a Cyberattack?
Recent Data Breaches Should Serve as a Wake-up Call for Businesses
By LARRY SNYDER, Ph.D.All organizations, regardless of industry or size, are subject to cybersecurity risks. So if you have a business and you don’t have a cybersecurity plan or cybersecurity business unit, as the famous line from a popular movie states, you should “be afraid … be very afraid.”
Security breaches have an enormous impact on organizations. They can result in loss of investments, legal costs, and an erosion of consumer and investor confidence. One needs to look no further than the recent Target breach to understand how publicized breaches negatively impact the reputation of an organization.
According to IBM’s “2012 Mid-year Trend and Risk Report,” companies are attacked an average of 2 million times a week. The report also indicates a 38% increase in reported incidences of loss, theft, and exposure of personally identifiable information as compared to the previous year. Keep in mind, this report was issued prior to the third-quarter breaches of retail organizations that resulted in the compromise of more than 100 million records.
Risk Based Security released a report in February 2014 indicating that more than 822 million records were exposed during data breaches in 2013, nearly double the previous high-water mark. That equates to 2.2 million records per day, or 1,560 per minute.
Regulations such as Mass. Gen. Laws § 93H-1 et seq. and 201CMR 17.00 increased administrative responsibilities for understanding and managing cybersecurity risks within organizations.
To build the business case that it is imperative for industries to address cybersecurity concerns, we must first quantify the threat. While the data on security breaches continues to be a bit murky, as there is really no incentive for organizations to fully disclose when and what they have lost, the available data provides a somber view.
The “2013 Cost of Data Breach Study: Global Analysis” released by the Ponemon Institute reveals that, globally, the average cost of a data breach has increased from $130 per record to $136. In this same report, the U.S. has cited an average cost of $188 per record. For context, this means the Target breach cost approximately $20.68 million.
The Computer Security Institute and the FBI conduct an annual survey of computer crime and security. The majority of respondents are organizations with annual revenue over $10 million that allocate some portion of their overall IT budget toward information security. As alarming as the number of reported breach incidents is, what is perhaps more worrisome is the number of organizations that could not determine if they had experienced a data breach. According to the CSI/FBI survey, 9.1% of those surveyed indicated that they did not know if their organization had experienced a security incident in the previous year.
The reaction to recent breaches has led the public and investors to call on industries to develop a more proactive approach to cybersecurity risks. Effective governance principles demand that an organization’s leadership re-evaluate the role cybersecurity has within their organization. No longer can security be viewed as an expense that is implemented as an afterthought or a reactive exercise under the category of ‘the cost of doing business.’ The integration of technology into every aspect of an organization’s daily operation has made cybersecurity controls essential for continued success. In essence, cybersecurity has moved from an expense to a stand-alone business unit. While these units will not produce direct profit for an organization, they add revenue indirectly.
Organizations that effectively protect their proprietary data, including customer information, and can effectively respond to security breaches send a clear message to the public, investors, and regulatory agencies about their attitude toward security, and reap the rewards through increased consumer engagement.
Every level of an industry, including management, staff, vendors, and suppliers, has the responsibility of addressing and responding to cybersecurity risks. As a business unit, cybersecurity personnel are responsible not only for identifying risks, but also for implementing controls for early detection, investigating and mitigating cyberthreats, and taking corrective action to prevent further exploitation.
To accomplish this, cybersecurity departments must address the following essential elements:
• Improve threat detection through the implementation of risk intelligence and forecasting;
• Conduct security data-management analytics;
• Employ organizational risk consultants;
• Develop secure control design and implementation that aligns with business needs; and
• Implement organizational change through information-security awareness and training programs.
The data breaches of 2013 must serve as a wake-up call for business owners, managers, and cybersecurity professionals. If your organization cannot determine whether it has experienced a data breach, if you do not have an effective cybersecurity risk-management program, or if you have not positioned the cybersecurity function in your organization as an essential business unit, you are putting your organization at risk … a risk from which it may not recover.
Larry Snyder, Ph.D is director of the new MS in Cybersecurity Management program at Bay Path College. He has nearly two decades of experience in law enforcement, fraud detection, and auditing, working in this capacity for the U.S. Army and in a variety of industries. He is a pioneer in the field of cybersecurity management education and, prior to joining Bay Path, worked with the State University of New York’s Herkimer County Community College in obtaining national certification for its Cybersecurity program from the Committee on National Security Systems; (413) 565-1294; [email protected]