When business leaders think about cybersecurity, the most common question they ask themselves is, “Are we prepared to prevent an attack?” Unfortunately, this kind of thinking plays directly into the hands of the attackers. Viewing total prevention as the goal and benchmark for success can lead to an erosion of standards and a potentially false sense of security.
Consider the Carbanak cyber bank heist that began in 2013. It took well over a year for 100 financial institutions to learn—from a third party—that they were victims of a $1 billion cybercrime. During that time, many of the affected companies may have thought they had successfully delivered on the “prevent cyber attack” metric. In reality, it was just a matter of time (a fair amount of it in this case), before they realized they were victims of an attack. Of course, that’s when all of the money was stolen.
Organizations need to approach cybersecurity with the assumption that they will be attacked at some point. Attacks are on the rise and organizations of all types and sizes are at risk. “Are we prepared to prevent an attack” is no longer the right question to ask. Instead, organizations must play offense, asking a far more complicated set of questions: Will we know it when it happens? How quickly can we identify a breach? Do we have the right protocols in place to compel immediate action?
Cybersecurity is not a passive undertaking. It cannot be achieved with a single tool or technology resource. It requires diligent planning and constant vigilance. Organizations that are best positioned to protect themselves will play both offense and defense—beginning with a thorough assessment of the risks they face.
A 2015 Duke University survey of CFOs found that more than 80 percent of U.S. companies have been successfully hacked. It is worth noting that these are the companies that are aware an attack has occurred. The actual numbers could be higher.
Source: 2015 Duke University/ CFO Magazine Global Business Outlook Survey of CFOs
Cyber attacks are industry agnostic. While cybersecurity is often associated with large defense companies, financial services firms, healthcare providers and retailers, companies in other sectors are in the particularly vulnerable position of believing they are not at risk or the risk is not significant.
Public companies in heavily regulated industries (think financial services or biopharma) may be more attuned to the realities of cybersecurity risk, and regulatory requirements keep the issue front and center. This is not the case for other industries in the supply chain, which may very well have data the criminals want. IndustryWeek, a manufacturing industry trade publication, warns that the manufacturing industry may not be taking the threat seriously enough. Meanwhile, high-profile attacks on power grids internationally have underscored that vulnerability of power and utilities companies in the United States.
Smaller companies may be at even greater risk than larger ones. The risk of cybercrime is often thought to be directly correlated to the size of the organization. The bigger the company, the bigger the risk—or so the myth goes. While it is true that large organizations have been victims of the highest profile attacks, cyber activists and cyber hackers increasingly view smaller businesses as prime targets because they are seen as easier prey than larger, more heavily resourced organizations.
Source: 2015 Duke University/ CFO Magazine Global Business Outlook Survey of CFOs
In reality, the Duke study found that 85 percent of smaller companies (those with fewer than 1,000 employees) reported having been hacked. This coincides with the fact that smaller companies report being half as likely as larger companies are to implement common controls such as self-hacking, hiring information security talent, or investing in training on data security.
The bottom line is that smaller companies hold special appeal because they are often suppliers to larger companies with access to sensitive information but without the controls their more heavily resourced customers might have in place.
There is little dispute that the situation is a critical one. It does, however, compel a close look at some of the common mistakes even the most sophisticated of companies are making.
Cybersecurity was once thought of as an IT risk. It was a problem to be budgeted for and addressed at a functional level. Budgets were allocated accordingly. Today, the stakes are higher than ever with the cost of cyberattacks at an all-time high, according to research by IBM. In 2015, the average cost of a breached record was $217—an 8 percent increase over 2014. Meanwhile, organizations paid a total average cost of $6.5 million in 2015.
2015 Cost of Data Breach Study: United States – Ponemon Institute and IBM
Cyber attacks are associated with losses in terms of customers, profits, brand equity and stock price. Consequently, cybersecurity should be seen as a business risk that is prioritized at the C-level and board-level.[1] The National Association of Corporate Directors appeared to take a similar point of view when it released its watershed 2014 publication on cyber-risk oversight.[2]
Should there be any lingering doubt that cybersecurity is now a business risk and board-level concern, one need only consider that it is the C-suite (and occasionally boardroom) seats that have been at risk during the breaches at Target, the USDA and Sony.
A reported 84 percent of midmarket companies plan to increase data and security spending.[3] Given the alarming risk data, this is not a surprise. It is imperative, however, that companies spend wisely.
The “set it and forget it” mentality is no longer adequate. A thorough and objective analysis allows companies to understand their unique areas of vulnerability. From there, an organization can develop an action plan within a realistic timeframe and budget. Like all sound business decisions, it is a matter of calculated risk and prioritization.
American Express Survey of Mid-Sized Companies in the United States
Today we see clear signs that companies are awakening to the need for a proactive approach to cyber risk. The Chief Information Security Officer (CISO) role has emerged in recent years in many organizations to oversee companies’ efforts to assess and manage cyber risk. While it was once common for a technical manager to take responsibility for information security, it is now the role of a more senior business person who is both technically adept and able to communicate cyber risk to board members and business executives. Chief Financial Officers (CFOs) and Chief Audit Executives (CAEs) are often tapped to provide regular feedback to Audit Committees and Boards on business risks, including cybersecurity.
While the evolution in talent is a positive development, it is also important to remember that the data and confidential information of millions of people cannot be the responsibility of one person. The creative contributions of a company’s employees or the sensitive IP of business partners cannot be protected solely by a piece of software or hardware.
Now is the time to redefine the view of success. Rather than trying to prevent every possible attack, focus efforts on systems to detect and manage issues with laser-sharp accuracy and lightning-fast speed. Every organization is different and benchmarks for success will be unique to each organization. However, well-balanced organizations do have one thing in common: they excel on both offense and defense.
For more information on this topic, or to learn how Baker Tilly cybersecurity and IT risk specialists can help, contact our team.
[1] For more insights on what audit committees and boards need to know, see: http://bakertilly.com/insights/cyber-risk-what-audit-committees-and-boards-need-to-know-now
[2] https://www.nacdonline.org/files/NACD%20Cyber-Risk%20Oversight%20Executive%20Summary.pdf
[3] http://about.americanexpress.com/news/docs/2014x/American-Express-Survey-of-Mid-Sized-Companies-US.pdf