The Cost of a Data Breach
A study conducted by IBM last year, The 2020 Cost of a Data Breach Report, put a price tag on data breaches. According to the study, the average cost of a data breach is $3.86 million. Also, 80 percent of data breaches resulted in the exposure of customers’ personally identifiable information, which is the most expensive type of breach to remedy.
Stolen or compromised employee credentials and cloud misconfigurations are the most common causes of data breaches, with 40 percent of breaches caused by these incidences. Misconfigured cloud networks increased data breach costs by half-a-million dollars, according to the study.
Cybersecurity Starts at the Top
Statistics like these make it clear that cybersecurity should be an important part of every organization’s operating plan. Ensuring a well-protected network starts at the top.
Here are five key questions leadership should ask to assess cybersecurity risk:
Question #1: Is your executive leadership informed about cyber risks that threaten the company?
Cybersecurity is about managing risk. A breach can have dire consequences. This makes managing cybersecurity risk a critical part of an organization’s governance, risk management and business continuity framework. Early response actions can limit or even prevent possible damage. Accordingly, timely reporting to leadership should be built into the strategic framework for managing the enterprise. The CEO, CIO, business leaders, continuity planners, system operators, general counsel and public affairs should be part of the chain of communications.
Question #2: What is our exposure to cyber risk, the potential impact of a breach and our plan for addressing both?
Identifying critical assets and associated impacts from cyber threats is critical to understanding your specific risk exposure. These will most likely be a combination of financial, competitive, reputational ando/or regulatory risks. Risk assessment results are key to identifying and prioritizing specific protective measures, allocating resources, informing long-term investments and developing policies and strategies to manage cyber risks at an acceptable level.
Question #3: How does our cybersecurity program apply industry standards and best practices?
A comprehensive cybersecurity program leverages industry standards and best practices to protect systems, detect potential problems and enable timely response and recovery. Compliance requirements help to establish a good cybersecurity baseline to address known vulnerabilities. However, they do not adequately address new and dynamic threats or sophisticated adversaries. Using a risk-based approach to apply cybersecurity standards and practices allows for more comprehensive and cost-effective management of cyber risks than compliance activities alone.
Question #4: How many cyber incidents is normal for us? At what point should executive leadership be informed?
Executive engagement in defining the risk strategy and levels of acceptable cyber risk enables close alignment with the business needs of the organization. Regular communication between leaders and those held accountable for managing cyber risks provides awareness of current threats, security gaps and associated business impact. Analyzing, aggregating and integrating risk data from various sources and participating in threat information sharing with partners helps organizations identify and respond to incidents quickly. Ensuring that protective efforts are commensurate with risk.
A good way to establish updated security protocols is to have an assessment of your network. This can show you where you stand and provide insights to a solid plan of action.
Question #5: How comprehensive is our cyber incident response plan? How often is it tested?
Even a well-defended organization will experience a cyber incident at some point. When network defenses are penetrated, the leadership group should be prepared with a Plan B. Documented cyber incident response plans that are exercised regularly help enable timely response and minimize impacts.
Devise a Cybersecurity Plan Now
When it comes to cybercrime and data breaches, it’s not a question of if, but when. Now is the time to devise a plan for how your organization will deal with a data breach when one occurs.
Meet with your key leaders use the questions to assess cybersecurity risk. If you don’t have adequate answers, commit to doing whatever it takes to get answers before your organization is the victim of a data breach.
Great post. I am facing a couple of these problems.