Leaders and directors of organizations are now inundated with grim statistics about cyber security risks and the consequences of not acting to protect their organizations. Therefore, why are cyber security investment decisions stalled in many organizations? In order to lead change in this area, the top people in organizations need to talk the talk, obtain a “plain language” understanding of the risks and issues, while asking good questions to start the process. In this Commentary, we focus on what needs to be done at a high level to set direction in preparation for making critical investment decisions.
What are the grim statistics?
Two of the most recent high profile security breaches, occurring at Target and Home Depot, highlight what may lie ahead for those who don’t prioritize a security strategy, including having proper insurance. In addition to a plunged share price, reputational damage and resignations of the CIO and CEO, Target has spent more than $148MM to recover, while Home Depot estimates costs at $62MM after insurance recoveries of $27MM. In their Toronto presentation dated November 25, 2014, Richter Advisory Group Inc. advises that Canada is not immune, with “36% of Canadian businesses have been hit by a breach”. Canadian high profile companies recently affected include Bell Canada, Rogers, Canada Revenue Agency, Medicentre, and Directors Guild. According to the “2014 Cost of Data Breach Study-United States” published by the Ponemon Institute (sponsored by IBM) the approximate average cost of a breach is now $5.9 million, and the probability of having a breach with 10,000 records minimum is 22%. Malicious or criminal attacks now comprise 44% of data breaches, compared with 31% for negligence and 25% for system glitches.1 The study defines that the cost of lost business increased from $3.03 million to $3.2 million. These costs include abnormal turnover of customers, increased customer acquisition activities, and reputation losses and diminished goodwill. Ponemon found that brand and reputation declined between 31% and 17% and it takes more than a year for an organization to recover its image. In their 2013 report entitled “Understanding the Economics of IT Risk and Reputation”, Ponemon indicates that the financial cost of a breach is comprised as follows: 30%-Reputation and Brand Damage; 20%- Lost Productivity; 19%- Lost Revenue; 12%- Forensics; 10%- Technical Support; and 9%- Compliance and Regulatory.2
First Step: Create awareness within the entire executive team, and the board
In Canada, the Canadian Securities Administrators issued notice 11-326 in September 2013 warning companies about cybercrime, and advised them to “take the appropriate protective and security hygiene measures necessary to safeguard themselves”. According to “Listed Magazine” (Article entitled “Cyber Risk Takes Centre Stage”-fall 2014), the first step is acknowledgement that cybersecurity risk needs to be managed on an enterprise basis and not simply through the IT lens.3 Mike Strople, President of Allstream and who sits on the board of the Liquor Control Board of Ontario warns boards “not to be complacent when it comes to cybersecurity risk”. For example, he says, “Firewalls can give a false sense of security. A firewall is not a big stone concrete wall, it has all sorts of holes punched in; it is only if you get all the holes lined up the right way that it does what it is supposed to do. He warns: “If the CIO or whoever advises the board says it’s a green check mark or a red X, it doesn’t come in those flavours. It is much more shades of grey.”
In its article, Listed Magazine posts “Cyber risk oversight 101”- a listing of questions to start the process of understanding the risks. “Situational Awareness” questions include: What are the company’s cybersecurity risks and how is the company managing these risks? How will we know if we’ve been hacked or breached and what makes certain we will find out? Have we had a penetration test or external assessment? What were the key findings and how are we addressing them? What is our maturity level? “Corporate strategy and operations” questions include: What are leading practices for cybersecurity and where do our practices differ? Where do management and our IT team disagree on cybersecurity? Do we have an enterprise-wide, independently budgeted cyber risk management team? Is the budget adequate? “Incident response” questions include”: How will managers respond to a cyber-attack? Is there a valid corporate incident response plan? Under what circumstances will law enforcement and other relevant government entities be notified? What constitutes a material cybersecurity breach and will those events be disclosed to investors?
Another key question is: do we have corporate insurance to cover loss which may occur?
Education, assessment and investment decisions
A starting point is to ensure that the organization’s top people become educated on the issues relating to cyber security, but this does not mean becoming an IT expert. Instead, gain an understanding of the core organizational processes to be protected, and be able to talk-the-talk by reading about the subject, attending seminars, etc.
A critical next step is to scope out the impact and likelihood of a breach, and determine the existing controls in place to control a breach. Consider a risk assessment or similar process, as part of the organizations enterprise risk management process. Some organizations are looking to “risk frameworks” such as ISO 27000. Many organizations have significant exposure to loss, and cyber risks may warrant close monitoring, benchmarking and regular reporting at management and board meetings. According to the need, consider appointing a Chief Information Security Officer (CISO) to coordinate the process.
But prescribing action steps and investment decisions requires buy-in and direction from a high level within the organization. AFCEA International is a non-profit organization serving its members on cybersecurity and other similar matters, and its constituents oversee and comprise defense, homeland security and intelligence communities. AFCEA explores many cyber related considerations in its two recent papers: “The Economics of Cybersecurity: A Practical Framework for Cybersecurity Investment” and “The Economics of Cybersecurity Part II: Extending the Cybersecurity Framework”.4 AFCEA has established a simple model involving three principles to focus investment decision making in this area. The diagram at the top of this article presents these principals conceptually:
Investment Principle #1: Implementation of a comprehensive baseline of security controls that address threats that are of low to moderate sophistication is economically beneficial. The economic benefit typically extends beyond security. Descriptions of baseline controls sometimes refer to them as “implementing sound management practices”. The prescribed controls focus on ensuring that sound information technology management disciplines are enforced.
Investment Principle #2: Focus security investment beyond the baseline controls to counter more sophisticated attacks against the functions and data that are most critical to an organization. It will be impractical to devise solutions to protect every function within the organization, but the mission critical functions must be protected. In many organizations, security controls are applied equally against all data and functions. While IT organization leaders acknowledge that they should put priority on protecting the more critical functions and data, often no clear direction is given to these leaders regarding what the actual mission critical systems to be protected actually are.
Investment Principle #3: For sophisticated attacks, an organization should accept the security risk of not protecting functions and data that are of lowest impact to the organization’s mission and where cost exceeds benefits. Investments to address more sophisticated threats can be quite costly and not economically justifiable for low impact information and systems. Delineation of priority functions versus non-priority functions is important.
Call to action for executives and directors ….
- talk-the-talk by reading about the subject, attend seminars, become informed
- Ask informed questions to start the process of understanding the risks
- Determine the existence of specific corporate insurance
- Consider adopting a “risk framework” such as ISO 27000, and assess the impact and likelihood of a breach, and the controls in place to mitigate
- Consider appointing a Chief Information Security Officer
- Implement monitoring, bench marking and regular reporting
- Focus investments starting with a comprehensive baseline of security controls, then determine the mission critical organizational functions to be prioritized
In summary, per guidance from the Canadian Securities Administrators, take “appropriate measures”. Delegate to IT professionals, but don’t abdicate responsibility for cyber security.
- Ponemon Institute LLC “2014 Cost of Data Breach Study: United States” http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=WH&infotype=SA&appname=GTSE_SE_SE_USEN&htmlfid=SEL03017USEN&attachment=SEL03017USEN.PDF#loaded .
- Ponemon Institute LLC: Understanding the Economics of IT Risk and Reputation- Ponemon and IBM Whitepaper http://www.computerworlduk.com/white-paper/it-security/3473176/ibm-the-economics-of-it-risk-and-reputation/ .
- Listed Magazine-“Cyber Risk Takes Centre Stage”-fall 2014- http://listedmag.com/2014/10/cyber-risk-takes-centre-stage/
- AFCEA International- “The Economics of Cybersecurity: A Practical Framework for Cybersecurity Investment” http://www.afcea.org/committees/cyber/documents/CyberEconfinal.pdf and “The Economics of Cybersecurity Part II: Extending the Cybersecurity Framework” http://www.afcea.org/committees/cyber/documents/CyberEconPart2final.pdf