Managing cybersecurity is everyone's responsibility from the small business owner to high level managers and board members
Cybersecurity is not an IT-executive issue but a business fiduciary responsibility. Its failures can irreparably damage a company's image as well as put the firm on life support. Thats why plans must be put in place to both help avoid corporate hacking and to respond to such incidences.
Its hard to miss the press coverage of the ongoing Target Corp. cybersecurity saga. Current reports claim hackers stole the personal information of at least 70 million Target customers (possibly as high as 100 million), including names, mailing addresses, telephone numbers and email addresses.
Neiman Marcus and at least three other well known U.S. retails also had cyber breaches, using a similar technique to the one used on Target. Other breaches occurred last year as well. While technically this is an IT problem, the reality is it can be a major business catastrophe. How this plays out is in the hands of the board and corporate executive management.
Remembering TJX and Other History Lessons
In 2007: TJX Companies was found to have exposed more than 94 million credit card records to hackers over a three-year period. The company had to spend tens of millions of dollars to clean up its cybersecurity infrastructure and create a $41 million settlement fund to compensate nearly 95 percent of the affected customers and banks.
In 2013:Ponemon Institute "Cost of a Data Breach Study: Global Analysis" found that the average total organizational cost of a data breach in the U.S. was $5.4 million while the average notification costs was $565,020. (Notification costs include IT activities associated with the creation of contact databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures, secondary contacts to mail or email bounce-backs, and inbound communication set-up.) Additionally, the lost-business costs in the U.S. resulting from the breaches currently average more than $3 million.
These startling statistics demonstrate that while IT plays a role in all of this, its imperative all those in positions of authority must be accountable for cybersecurityand not just after the fact. The least expensive way to deal with a breach is to prevent it from occurring in the first place. However, many studies find that top management doesnt play a sufficient role in the governance and management of cybersecurity.
Executive Responsibilities
Responsibilities can be divided into three categories: pre-breach (normal operations); breach-response (crisis) mode; and post-breach-response ongoing activities. Initially, boards and corporate executives must get up to speed and understand the challenges, establish the acceptable risk parameters and play an ongoing role in security governance.
Continued attention must be part of monthly and quarterly meetings. Signing off on or just deferring decisions without really understanding the business impacts to these decisions should be considered unacceptable.
IT security executives should work with appropriate parties to collect, analyze and share incident data so defenses and detection can be enhanced. Business and IT executives should also recognize that cybersecurity isnt just about technology, because the weakest links are people and processes. These gaps should be aggressively pursued and the problems regularly communicated across the organization. Lastly, a crisis-management plan should be put in place as a contingency.
Should a breach occur, its imperative that the owner/CEO (preferably) or a very high-level executive that can be viewed as the face of the company get in front of the problem and provide customers assurance that all efforts are being undertaken to resolve the problems, including making customers whole. The details of what should be relayed to customers, employees and stakeholders, and how and when it should be disseminated, should come from the crisis-management plan. A well-executed plan can safeguard the company's image, retain customer loyalty and protect the company's finances.
The difference between the post-breach response ongoing activities and the pre-breach cycle is that the company is now far more aware of risk exposures and this heightened awareness tends to influence activities and decision making. This is a good thing, but its unfortunate that firms (or key executives) have to go through the wringer before they make cybersecurity a priority.
Getting Ahead of the Issue
Small business owners, board members and corporate executives share the fiduciary burden and accountability for protecting company assets, even if the responsibility is delegated to IT or an outside provider. Today, these executives remain behind the curve in protecting, exfiltrating, discovering, and containing cybersecurity attacks and data breaches. Unfortunately, the frequency and variety of attacks and attack vectors will only increase year-over-year.
All must be aware of the changing challenges, establish and maintain acceptable risk parameters, and play an ongoing role in security governance. IT security executives should work with appropriate parties to collect, analyze, and share incident data so that defenses and detection can be enhanced.
Executives should identify low-hanging initiatives that can be quickly executed, such as improved password requirements, password-change frequency, two-factor authentication, and rapid deactivation of access (cyber and physical) to terminated contractors and employees. Encryption of data at rest and in transit should also be evaluated.
Cybersecurity isnt a technology issue; its a matter of business survival that puts the onus on the board and corporate executives.
Other articles by Cal:
Small Business Can Get High Availability From IT
Leasing Contracts: Not All Are Equal
15 Reasons it Makes Sense for IT to Lease