I am not a cybercrime expert and you don’t have to be either to be aware of the increasing number of individuals and organisations being targeted by criminals using sophisticated technology in ways we never predicted. This threat is far greater than most organisations perceive even though the evidence is all around us and yet many organisations are slow to respond. This view is backed up by a survey carried out by McAfee, the cyber security firm, where they discovered that only 44% of respondents to the survey have plans in place to prevent or respond to a cyber-attack. Why, is the obvious question?
This may be explained by Alex Blau in his (2017) article in the Harvard Business Review is that decision makers treat cybersecurity as a finite problem that can be solved, rather than as the ongoing process that it is. I believe it would be fair to say that many business leaders see this as an IT threat which should be dealt with by that department rather than an overall business threat that needs to be addressed by all departments.
According to PwC you should have in place a full plan that has been tried and tested across your organisation. You cannot do that unless you can answer the following questions. How is data backed up, how will you retrieve it, how quickly can you retrieve it and how quickly can your organisation be back up and running. Who will give you a forensic evaluation of how the system was compromised and what was accessed while the criminals were within it.
How will you communicate the right message to the different audiences in a way that gives them comfort. Many organisations have regulatory responsibilities and must report such a breach within 72 hours. How do you manage internal communications where employee files have been compromised?
As you can see there is a lot to do when you are attacked and you do not want to be looking for solutions when your organisation is in chaos. Think of the amount of time lost suddenly looking for experts across the different areas to help get you out of trouble.
According to an IBM survey – the average cost of a data breach is $3.86m £2.4m with an average discovery to recovery time of 280 days. This figure does not take into account reputational damage which would include customer confidence and share price. (And let us not forget the small business owners whose average loss is €42k many of whom do not survive an attack). What would be the impact of that on your organisation?
We are familiar with the more obvious costs of a cyber-attack but as you can see from a Deloitte report the hidden costs are equally disturbing. In terms of your mitigation strategy how many of these issues are covered?
According to Deloitte
Above the surface well-known cyber incident costs
- Customer breach notifications
- Post-breach customer protection
- Regulatory compliance (fines)
- Public relations/crisis communications
- Attorney fees and litigation
- Cybersecurity improvements
- Technical investigations
Below the surface hidden or less visible costs
- Insurance premium increases
- Increased cost to raise debt
- Operational disruption or destruction
- Lost value of customer relationships
- Value of lost contract revenue
- Devaluation of trade name
- Loss of intellectual property (IP)
Closer to home let me give you an example of a recent attack here in Ireland where on the 14th May this year the Health Service Executive system was hacked and a ransom demanded. The attack has been described as catastrophic with hospital appointments and treatments cancelled. I am sure through the Freedom of Information act that we will one day see the financial cost to the state but will we ever know the number of people affected or the number who lost their lives as a result of a callous act that could have been prevented.
Hiding in plain sight was the knowledge that the system being used was outdated and vulnerable. Inertia did the rest.
Cyber-crime is big business for criminals which means that it is going to be an ongoing threat to your business. If your strategy is reacting after it has happened then you are losing valuable time, creating more work and putting yourself in a more vulnerable position.
Hiding in plain sight is the significant threat but how far up the priority list is having a solution in place?
If you would like further tips why not subscribe. If you would like a call in confidence and without obligations you can schedule it HERE