In what hopes to be a promising trend, C-suite executives and corporate board members are starting to get more serious about protecting their cyber assets. According to a study entitled “Cybersecurity in the Boardroom” by Veracode and the NYSE Governance Services, cyber-security is now becoming a frequent topic of discussion at corporate board meetings, and shareholders are starting to hold upper-level leadership responsible for breaches.
Much more work, however, needs to be done. The study showed that 66 percent of the 200 directors of public companies surveyed indicated they did not have confidence their companies are properly secured against a cyber-attack, listing their top three concerns as brand damage, breach costs and a lost competitive advantage. The study provides recommendations for how chief information security officers can shape the conversation with corporate board members, suggesting they use metrics to present security information and provide benchmark risks about how their organization’s security apparatus compares to others.
It seems businesses are finally starting to catch on to the growing threats of cyber-attacks, however, the question remains: what if anything, do they plan to do about it? Too often, companies don’t take a proactive approach to security. As we saw with the massive breach of data at Target in 2013, where up to 70 million credit and debit accounts were compromised, the company didn’t prioritize cyber security until after they were attacked, which ended up costing them a staggering $162 million across 2013 and 2014. Target recently settled with Visa for the reimbursement of as much as $67 million for costs incurred to financial institutions from the breach, and the company and its shareholders are still feeling the fallout.
As seen with Target, these breaches have major impacts on corporations’ reputations. If customers don’t believe that you’re keeping their data safe, they’re likely to shop or bank elsewhere. Indeed, cybersecurity becomes a reputational issue for corporations, which ultimately impacts shares, and therefore, corporate boards. When it starts to affect their bottom lines, we see them start to pay attention.
While expensive at the onset, spending money on a strong cyber infrastructure and a proactive IT system can save a company immensely in the long run. According to Marc van Zadelhoff, Vice President of Security at IBM, companies that have preparedness plans and a strong rapid response team to quickly understand the extent of damage when an attack is occurring or immediately after save $12 to $13 per capita per breach, compared to companies who did not.
Like with all good business decisions, the risk/reward analysis must be carefully considered when attempting to quantify cyber risks. Failure to understand threat implications and adequately safeguard data could lead to corporate disaster. That’s why experts are working with corporations to better quantify the risks.
However, business leaders must change the way they view cyber security and cyber threats. These issues can’t be viewed as an abstract “technology” problem, but must be addressed from a business perspective. As PricewaterhouseCoopers (PwC) outlined in a recent presentation, “Cyber risk management needs to be owned by the C-suite rather than by IT.” They define effective cyber risk management as “the coordinated management of influence, technology and business operations to protect critical assets and reputation from external and internal threats.”
The cost of data breaches are rising globally, according to IBM and Ponemon Institute’s study, “2015 Cost of Data Breach Study: Global Analysis,” which estimated that the average total cost of a data breach has increased 23 percent since 2013 to a staggering $3.79 million. One can assume these numbers will continue to rise until corporate America gets serious about shoring up its, and in turn, our, cyber assets.
Finally, the malicious actors launching these cyber-attacks are collaborating, and our business community should be, too. In fact, we need more avenues for collaboration for our technologists, investors, government, members of academia and corporations to come together to combat cyber-crime. Just as hackers share their “best practices” amongst each other on the Dark Web, so too, should we form a collaborative, diagnostic, united approach.