The point that the Institute is seemingly trying to make with their representative study is that , especially as it relates to IT, needs to ramp up; companies are getting lax again/still and re-assuming an attitude of "it" (i.e.: bad things) won't happen to them. The 23-page Ponemon Institute report is available online at their but, here is a high-level, seven-point summary and my input of how the information may relate to your company's situation.
The study reports that the average for response costs for companies that were impacted was $3.8 million per year. The cost of the technologies and processes that could have effectively mitigated or prevented the same incidents, were generally less than 1/3 the cost. In other words, and rather obviously -- pre-planning and mitigation is a heck of a lot cheaper, in most cases, than merely reacting with an ad hoc response after an incident/breach.
Even more importantly, the appointment of a single top executive responsible for enterprise risk management, a la a , or better still, a is a critical factor for success. Often autonomously reporting straight to the board of directors and with a true enterprise-wide view, not just technology centric, this executive can appropriately ensure that risk management is "baked in" at the start of projects and programs, rather than merely "bolted on" haphazardly as an afterthought. Also, merely relegating IT security and risk management to some "underling" as one facet of a job in some other line department is a quick recipe for big trouble.
Additionally, the creation and rollout of an ERM strategy and adherence to a voluntary governance/certification framework (such as / , etc.) appear to both, substantially lessen the chance of occurrence and the total cost of a dealing with a cyber crime incident.
Why you ask? Many companies seem to have a cavalier or complacent attitude, at least unofficially, something akin to, "Our security is already good enough;" "We are already better than the competition;" "Those requirements don't pertain to us" etc. These hardening of the attitudes are dead wrong on several counts!
What about your company? Also, know that compliant (with whatever standard or regulation) does not necessarily mean secure! IT Risk Management (InfoSec, BC / DR, Compliance, Governance), like ERM, is a continuous improvement program, not merely an "achieve it once and forget it" project. Then there is the mixed blessing of social networking, the newest avenue for potential business growth and nefarious conduct. Some analysts estimate that 30 percent of corporate bandwidth is consumed by .
Some proponents argue that social networks such as function as agents of business outreach. Some IT vendor support is now delivered by social media sites. In addition, public relations and marketing teams are finding value in social networking to deliver promotions. YouTube is becoming a more mainstream platform for companies' public relations efforts.
While all that may be true however, social media may also provide the gateway for viruses and malware, productivity distraction, and employees may end up discussing sensitive or proprietary information without appropriate authorization. Furthermore, the competition and debt collectors also now use these sources to check up on companies' employees.
How many public web-facing web sites does your company use or host? What about your interfaces to the cloud? Have any of these sites been checked via a serious penetration test or for OWASP coding compliance? Generally accepted better practices state we should be doing quarterly OWASP scans and biannual penetration testing. How robust is your change management process? Also, have you considered -- Quis custodiet ipsos custodes? It is Latin for, "who will guard the guards." Will it be internal auditing and logging for privileged access accounts? Mitigation of such potential vulnerabilities requires implementing technologies such as SIEM, DLP, HIPS, (among others) in concert within enterprise level threat and risk management strategy.
According to this benchmark study sample, cyber attacks can become even more costly if not resolved quickly. The report shows that the average number of days to resolve a cyber attack was 14 days with an average cost to the organization of $17,696 per day! How would that kind of dollar loss impact your company's bottom line?
The survey revealed that malicious insider attacks can take up to 42 days or more to resolve. These costs demonstrate that quick resolution is needed for today's sophisticated attacks. The study did not cover, but you do need to consider the exorbitant costs of reputation damage (a.k.a. headline risk). For instance, in addition to the court and financial sanctions, what would happen to your organizations brand if it were caught in violation of heightened PII protection laws like those in California, Massachusetts, or the EU?
The report cites that on an annualized basis, information theft accounts for 42 percent of total external costs. Costs associated with disruption to business or lost productivity accounts for 22 percent of external costs. It also follows then, that the bigger a company grows, the bigger their potential exposure is as well. Tangential to these costs, is expense and reputation damage from the "second disaster" of negative press and lost customer/shareholder confidence. This is where a solid, pre-planned crisis communication program can help save the day, literally.
Detection of and recovery from incidents/breaches are the most costly internal activities. That also means that these investments are likely the most neglected areas due to these higher costs. Here is a quick reality check. If there is no/very little committed funding (not just a budget category pretext) and no/little top executive time dedicated to Risk Management, then all you have is another lip service program. Good luck with that WHEN things hit the fan! Were beginning to hear of another gambit that some companies use to skirt the requirement to accept their responsibility of due care. Some companies are "budgeting" for ERM and/or InfoSec, but never actually committing the money. Or alternately, the companies claim they are continuing to research newer technologies, not for weeks or months - but for years! Some regulators and insurance companies are taking notice, even pursuing fraud charges or denying claims based on contributory negligence of the insured.
This report indicates that the average annualized cost of cyber crime appears to vary by industry segment, where defense, energy and financial services companies experience higher costs than organizations in retail, services and education. Nonetheless, all verticals are being adversely impacted and on an increasing frequency.
Over the last 5 years, an increasing amount of business disaster declarations are not the result of Acts of God. Rather, they are the result of companies' intentional embrace (passive or not) of risk they obviously should not have accepted. Insurance companies are noticing. They are increasingly seeking further proof of due care and due diligence prior to issuing policies and before paying claims. The government is taking notice too!
There is some active discussion that the Federal government may soon further weigh in on private sector risk management, especially as it relates to IT. The premise here is that IT is now widely considered as part of the mission critical infrastructure of the modern interconnected economy and voluntary adherence by non-governmental entities to generally accepted risk management practices is woefully insufficient. Actively being discussed as potential new "due care" MINIMUM standard for all business (of certain size/revenue volumes) are more rigorous security frameworks, like PCI-DSS.
So, the next time your company makes budgetary considerations, perhaps you ought to at least encourage your IT departments to think about ear marking some additional funds for -- at a minimum, a thorough enterprise-wide security assessment. For relatively little expense, existing personnel can be trained and even certified on how to do thorough assessments. There is a caveat however. Frequently, existing, internal staff is somewhat jaded and less objective than unbiased, independent third parties.
Ideally, a company should do regular internal assessments with a mind to collect and analyze the results within the organization. The next step then is to retain a qualified outside entity to do another assessment of similar scope to ensure an accurate picture. The outside entity can also offer independent expertise on prioritization for risk management and IT security investment. This way, your organization will know more accurately where you are and how you need to invest to ensure that your company does not imprudently risk making the wrong kinds of headlines and/or potentially adding to the nation's vulnerabilities.
Jon Murphy is a nationally regarded technology, homeland security, risk management professional, author and speaker