Neither a company’s size, its location, nor its industry is a deterrent to cyber crime, which costs organizations an average of $5.5 million per data breach and can have an impact on the privacy of customers, employees, and business partners, experts say.
In the past, cyber-risk management was mostly about protecting intellectual property and trade secrets from competitors, says Mark Melodia, chair of the data security, privacy, and management practice at law firm Reed Smith. Now, because of changes in technology, it is easier for competitors, nation states, and the Mafia to infiltrate.
And there are regulators that companies must deal with on the state, federal, and global levels. “There is virtually no consistency across international borders,” Melodia says. Even within this country, 46 states have regulations governing privacy and other aspects of cyber risk. Currently there are four bills in Congress aimed at bringing uniformity to the states.
Melodia stresses that every business is affected by cyber-risk issues. “Even the corner bodega takes credit cards,” he says. It will have a computer, or important information may reside on the proprietor’s mobile device. He notes that businesses of all sizes are struggling to keep up with current best practices.
In spite of all the risks, “everybody pays attention only after the fact,” notes Melodia, whose job is to come in and clean up messes. Chief information security officers and CFOs “ought to go to lunch together, and invite the risk manager to come along and sit between them.”
CFOs need to make it clear that they are proactively dealing with cyber risk. Melodia cautions that shareholder suits against companies are on the rise, with both executives and board members blamed for failing to pay attention to potential risks or exercise reasonable care.
Recent research by Symantec Corp. and Ponemon Institute found that data breaches cost companies an average of $5.5 million per incident. Another recent Ponemon study found that the value of brand and reputation can decline 17% to 31% after a breach, and it may take an organization up to a year to recover its corporate image.
Challenges to cyber-risk management include widespread usage of communication technologies throughout an organization, the growing number of individual devices used, and the broad distribution of information. So explained Jody Westby, CEO of privacy and security consulting firm Global Cyber Risk, during a Tuesday webinar.
Westby noted that information is no longer always behind firewalls, but is “on phones, laptops, iPads, and other devices going everywhere with people.” To complicate things further, complex legal frameworks that govern privacy and security around the world impose compliance requirements on organizations. At issue, too, is the fact that Internet and technology risks are often spread across an organization, yet managing them is left to IT departments, which may treat them as mere technical matters rather than huge risks for the company.
To deal with these risks, Westby described a pyramid with risk management located at the top. Beneath that was an enterprise security strategy and plan. At the bottom of the pyramid, particularly at large organizations, were security plans for separate business units — systems, policies, procedures, and supporting system architecture.
“Many organizational structures are not suited to 21st century cyber issues and appropriate governance,” said Westby. “And many organizations are just not aware of how cyber crime is working today — how it is exploiting websites and social media, using them to get through to employees and get access to intellectual property and data.”