The survey revealed that malicious insider attacks can take up to 42 days or more to resolve. These costs demonstrate that quick resolution is needed for today's sophisticated attacks. The study did not cover, but you do need to consider the exorbitant costs of reputation damage (a.k.a. headline risk). For instance, in addition to the court and financial sanctions, what would happen to your organizations brand if it were caught in violation of heightened PII protection laws like those in California, Massachusetts, or the EU?

The report cites that on an annualized basis, information theft accounts for 42 percent of total external costs. Costs associated with disruption to business or lost productivity accounts for 22 percent of external costs. It also follows then, that the bigger a company grows, the bigger their potential exposure is as well. Tangential to these costs, is expense and reputation damage from the "second disaster" of negative press and lost customer/shareholder confidence. This is where a solid, pre-planned crisis communication program can help save the day, literally.

Detection of and recovery from incidents/breaches are the most costly internal activities. That also means that these investments are likely the most neglected areas due to these higher costs. Here is a quick reality check. If there is no/very little committed funding (not just a budget category pretext) and no/little top executive time dedicated to Risk Management, then all you have is another lip service program. Good luck with that WHEN things hit the fan! Were beginning to hear of another gambit that some companies use to skirt the requirement to accept their responsibility of due care. Some companies are "budgeting" for ERM and/or InfoSec, but never actually committing the money. Or alternately, the companies claim they are continuing to research newer technologies, not for weeks or months - but for years! Some regulators and insurance companies are taking notice, even pursuing fraud charges or denying claims based on contributory negligence of the insured.