By Rebecca Scorzato and Eben Kaplan
Cybersecurity experts glibly note that there are two types of organizations: those that know they’ve been hacked and those that don’t. If there is a silver lining in this observation, it is that organizations are increasingly falling into the former category. And they are preparing themselves.
The past few years have seen sizable changes in how organizations defend their networks. Rather than massing forces at the perimeter of their networks, defenders have begun to look inward. They monitor outgoing traffic as well as incoming, using intrusion detection systems and “continuous monitoring” to identify any potentially malicious activity. In the process, IT security workforces and budgets have ballooned; market researchers suggest spending on cybersecurity has increased at about 10% annually in recent years and will continue at a similar clip for years to come.
It’s not working. The credit card breach at Target is just one example: the company increased its information security force tenfold, created a security operations center and deployed some of the most sophisticated systems available on the market. Reports suggest that different configurations of Target’s security and permissions systems might have prevented an attack—but hindsight is 20/20 and the systems in question are vast and complex. Hackers found a way in; and as long as there are vast sums to be made breaking into computer networks, they probably always will. Meanwhile, the cost of data breaches is rising, up 15% since last year, according to a recent study. Those costs do not include damage to a company’s reputation, but those can be significant, too. Target saw a 46% dip in quarterly year-over-year profit after its high-profile breach.
The Internet was designed with security as an afterthought, meaning cyber criminals have a perpetual leg up in the digital arms race. Technology is no panacea—even if software vulnerabilities become a thing of the past, human error never will. Indeed, the improvement of security systems in recent years has coincided with a rise in “social engineering” and spear phishing attacks that prey on human fallibility.
While network breaches are inevitable, this does not mean that organizations are helpless. The consequences and impact of a breach can vary tremendously, and how an organization prepares itself can make all the difference. The first step is to ensure certain basic security measures are in place—measures that limit the damage an intruder can do. Australia’s Signals Directorate has developed a list of the top 35 mitigation strategies companies can employ; the SANS Institute has developed a similar list, as have the National Institute for Standards and Technology and the International Organization for Standardization. These measures include defining a “whitelist” of programs that are allowed to run on a system, patching software vulnerabilities regularly, and partitioning off sensitive information and limiting who can access it. It’s not rocket science, but such steps can make it much harder for attackers to access a network and limit the potential damage when a breach occurs.
How an organization responds is equally if not more important. A 2013 study found that having an incident response plan was the largest factor in reduce the cost of a breach. Organizations with response plans lowered the cost of a breach by 22%. By comparison, a strong security posture reduced the cost by 18%, appointing a chief information security officer reduced the cost by 12%, and hiring outside help reduced the cost by 7%.
But the scope of that plan makes a difference as well. Response plans developed in silos and that only include the IT department are probably insufficient. Serious data breaches require both tactical and strategic response, which means the plan must encompass other parts of the organization. A good plan will leverage an existing or newly created crisis management structure and identify a crisis management team, outline the process the team will follow once they become aware of a breach, and identify resources and skills—both internally and externally—that will be needed when a breach occurs.
Having a good plan is a first step, but a plan serves little use unless it is understood by team members and is aligned with the core values and risk tolerance of the organization. Training and exercise is the best and only real way to prepare for the breach that will occur. Through planning and exercise, bringing together diverse stakeholders and creating a common dialogue between business, IT, security, and operations will improve preparedness and cut down organizational silos.
All this planning raises another question: who owns the issue and, more importantly, whose budget will this come from? Enter the real risk owner: top management. For publically traded organizations this is the CEO and board. Responsible leaders will force this issue. If your board has not asked “Are we ready for a breach and do we have a plan?” it should and most likely it will.
This poses an excellent opportunity to view the risk of a data breach or a “cyber” issue as an enterprise risk. Most organizations face a significant crisis every 3-5 years and will be judged based on how they respond. Data breaches are just one example; natural disasters or product integrity issues could have similar effects. Weathering any of these crises requires a similar type of preparation. But while CEOs and boards of directors are accustomed to dealing with more traditional hazards, cyber risks are new and unfamiliar. Getting management to ask about cyber risks is one challenge, answering those questions in a way that they can understand is another. Clear communication about cyber risks is not always easy, but it is often the key to gaining the funding and organizational support necessary to overcome the inevitable data breach.
Rebecca Scorzato is director of Crisis and Security Consulting and Eben Kaplan is a senior consultant at Control Risks, the global risk consultancy. For more information, sign up for a free trial of our PRIME analysis service.