Cyberattacks: The new normal
While high-profile cyberattacks against governments, large banks and businesses have made headlines in recent months, small- and medium-size businesses are now also attractive targets of thieves. The frequency and sophistication of online attacks against business continues to increase. More attacks are surgically concise and invisible, ever changing and pervasive. They’re very hard to detect, and even when detected, they’re hard to contain.
The Deloitte 2012 Global Financial Services Industry Security Study points out that even as cybersecurity practices mature and advance, nearly 25 percent of business respondents indicated they experienced security breaches in the past 12 months. More than 50 percent of bank respondents consider security breaches involving third-party organizations as a high threat.
Not only can an information security breach cost your company money, in many industries such as financial, healthcare and education, breaches must be made public under state and federal compliance regulations. Consequences of cyber crime include customer notification and remediation costs, increased cybersecurity protection costs, lost revenues, possible litigation, impact on shareholder value, and damage to reputation.
Businesses of all sizes are at risk, but small and medium businesses in particular are low hanging fruit for digital thieves and the attacks are growing daily. To make it even easier for cyber thieves, the SMB user community will often click on any link, access any site, or install any application that suits them in disregard or ignorance of the very real dangers.
From a network security perspective, SMBs typically lack the time, expertise and money required to properly strengthen their defenses. In addition, a small business owner or CEO might say, “Why should I spend money on security? Why would hackers attack me? I’m just a small supply company with 40 PCs and one server.”
Traditionally, cybersecurity has been thought of as an IT issue and is most often included as part of operational risk management. The mistaken assumption that “the IT guys can handle the problem” leads to the dangerous situation where most employees don’t feel that they need to be responsible for the security of their own data. A corporation’s finance, human resources, sales, legal, and other departments all own critical data; and just one employee can inadvertently open a portal to attack.
Nonetheless, the tendency is to believe that the responsibility for securing data rests down the hall with the IT department. Too often, the IT manager must try to balance the risk against the resistance he or she meets from the reception desk all the way to the corner office.
This mindset needs to change.
The potential negative consequences of cyber attacks on a business are so significant that it is time for cybersecurity and information risk management to be elevated to its own INFOSEC category reporting to the Chief Executives.
Boards of directors, general counsels, chief information security officers, and chief risk officers need to understand and monitor their organization’s level of planning and preparedness to address cyber risks.
A recent study by Corporate Board Member/FTI Consulting Inc. found that one-third of the general counsel surveyed believe that their board is not effective at managing cyber risk. Only 42 percent of directors in that study said that their company has a formal, written crisis management plan for dealing with a cyber attack, and yet 77 percent of directors and general counsel believe that their company is prepared to detect a cyber breach, statistics that reveal a “disconnect between having written plans and the perception of preparedness.” Indeed, a 2012 governance survey by Carnegie Mellon CyLab concluded that “boards are not actively addressing cyber risk management.”
Only 25 percent of the study’s respondents (drawn from Forbes Global 2000 companies) review and approve top level policies on privacy and information technology risks on a regular basis, while 41 percent rarely or never do so. These figures indicate a need for boards to be more proactive when it comes to overseeing cybersecurity risk management.
The Internet Security Alliance (ISA) recommends the establishment of a Cybersecurity Operation Center to monitor traffic and data and actively respond to attempted intrusions and breaches. A cyber risk analysis should be an integral part of your risk management plan. If you are a smaller business who outsources security through an IT services firm, you should receive regular threat monitor reports for analysis as well as support of compliance requirements for cybersecurity.
Businesses with the lowest relative cybercrime costs tend to have a dynamic cybersecurity plan and utilize a network security system and event management tool, according to the Ponemon study. Businesses that employed security intelligence tools lowered their cybercrime costs by an average of $1.6 million per year, in part by being able to spot and respond to breaches more quickly.
The consequences of cyber crime can ripple through every department of every business with substantial and devastating effects. Every IT manager, regardless of business size, should be viewed as the director of cybersecurity risk management. A cross-functional approach should involve all departments in your company and increase the awareness of and responsibility for cybersecurity by every employee from the C-suite down.