For the vast majority of global organizations, experiencing a cybersecurity breach is not a matter of if, but when. You don’t have to look far to find terrifying stats about unpreparedness; but in case you haven’t heard, judge for yourself:
- According to EY, 88% percent of survey respondents do not believe their information security measures address the needs of their organization.
- Deloitte reports that just 10% percent of CFO’s feel sufficiently prepared to handle a cybersecurity crisis.
- Sixty percent of executives interviewed by McKinsey think that sophistication of cyberattacks is likely to outpace the ability of institutions to defend themselves.*
- PWC states that cybercrime is particularly on the rise in Europe, where a 41% rise in incidents has been reported from 2013 to 2015.
- The World Economic Forum rated cyberattacks among its top five risks in terms of likelihood.
Understanding the Business Impact
What does a cyber security breach really cost? The immediate consequences of large-scale data breaches (think: regulatory fines, PR costs, breach notification and protection costs, etc.) are well understood and quantifiable in their business impact. But aside from any and all financial losses, there are also the aftershocks to consider. According to the same PWC study, “the effects of a cyberattack can ripple for years, resulting in a wide range of ‘hidden’ costs—many of which are intangible impacts tied to reputation damage, operational disruption or loss of proprietary information or other strategic assets.” Let’s take a look beneath the surface. Consider a couple different scenarios: Case 1: You work for a large investment bank. Cyber criminals targeted the company email with malicious software that allowed them to the capture confidential information of a handful of employees (i.e. bank account numbers, social security numbers, credit card numbers, and passwords). The hackers then used this information to compromise company servers, by using employee data to remotely access the company’s IT systems. Impact: In spite of the fact that the hack targeted a remote group of employees – and no known customers – the publicity the hack received severely damaged the company’s reputation, impacting its ability to hold on to both existing business and bring in new business. Case 2: You work for a multinational electronics firm. An executive of a competing company was able to steal intellectual property from your employer. As a former employee, the executive had confidential information in his email account, which he was able to re-direct to his new employer when your organization failed to deactivate his email account when he left. Impact: The theft of intellectual property leads to a weakened market position due to the flood of counterfeit products. Because its products no longer stand out in the market, prices are driven down, your company faces a series of significant financial losses, and no longer occupies a strategic position within the market place. Case 3: You work for a large cable service provider. In violation of company policy, one of your colleagues stored sensitive information of over 40,000 customers on his laptop. This laptop was stolen by a common thief who was only after the physical laptop and not the data. Chances are, he never noticed the data was there. Impact: Even though the laptop was not stolen for malicious reasons, and it is unlikely that the thieves would find or recognize the value of the information stored on the laptop, all affected parties had to be contacted and informed of the incident. This story is in turn picked up by the media, creating widespread reputation damage and distrust.
Starting the Journey
Cybersecurity falls under the greater whole of risk management, which is an ongoing, iterative process. The choice to add controls must strike a balance between productivity, cost, effectiveness of the counter measure, and the value of the informational asset being protected. Because new threats and vulnerabilities are constantly emerging, the process of cyber security must be repeated indefinitely. Is your organization prepared for the cyber security threats of the future? How do you handle your information security effectively? * Notably, in the McKinsey study, no correlation was found between spending levels and risk-management decisions.