In my advisory role, I see companies of all sizes asking IT and security executives what is being done to address cybersecurity at their companies. I have had the opportunity to work with a lot of companies, large and small, and I can safely say that cybersecurity is on everyone’s minds. Boards of directors and business owners of all sizes are becoming engaged in the discussion around cybersecurity. Data breaches are happening so often now that they are no longer shocking. Big names such as Facebook, Marriott, and Google+ have had their data compromised. You may think to yourself: If they can’t protect their data, with their large budgets, how can I ensure my company is protected? That’s a fair question, and my answer is a reassuring one: It is possible.
First, let’s talk about why it’s important. To put it plainly, data breaches are costly. IBM’s 13th annual Cost of a Data Breach study, the industry’s gold-standard benchmark research independently conducted by Ponemon Institute, reports the global average cost of a data breach is now $3.86 million, up 6.4 percent over the previous year. The average cost for each lost or stolen record containing sensitive and confidential information is now $148, which has increased by 4.8 percent year over year. Additionally, the average price for small businesses to clean up after their businesses have been hacked stands at $690,000, and, for middle market companies, it’s over $1 million. However, that’s not the whole picture. Even after the breach is repaired and appropriate actions have been taken, what is the cost to your brand? The United States National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their businesses over six months after a cyberattack.
So, what should your company do? The answer is prevention, detection and response. To prevent these types of breaches, companies should review their security measures and consider the following:
- Implement security awareness and training
- Implement appropriate preventive tools and controls
- Protect all devices connecting to the internet and wireless
- Encrypt your most sensitive files
- Keep software and hardware current
To detect and respond to security breaches companies need to:
- Implement appropriate monitoring tools
- Implement incident response procedures
- Implement business continuity procedures
Here are 7 questions your organization should be able to answer readily:
1. How secure is your company’s data?
2. How do you know your data is secure?
3. What are the biggest threats to your organization’s data security?
4. What security policies and procedures are in place to prevent and respond to data leaks?
5. What are all of the endpoints on your company’s network?
6. What cybersecurity technologies do you use to protect and monitor your data?
7. How much money and resources would you lose if your company suffered a data breach?
If you know the answers to all these questions, that is a great start. If you are not sure how to answer some of these questions, you should consider working with an expert you trust to provide guidance in this complex and shifting environment. A trusted advisor can help you ensure your cybersecurity program has been adequately implemented to address and minimize your organization’s cyber risks.
A good advisory partner should help you achieve the following:
1. Identify the factors contributing to your company’s overall cyber risk.
2. Assess your company’s cybersecurity risk and preparedness.
3. Evaluate whether your company’s cybersecurity preparedness is aligned with its risks.
4. Determine risk management practices and controls that are needed or need enhancement, in addition to actions that should be taken to achieve the desired state.
5. Outline risk management strategies including cybersecurity insurance.
You might be thinking: “Yes, I would love to do this, but our company can’t afford it.” The truth is that cybersecurity preparedness costs a small fraction of what a breach would cost. I have seen cybersecurity risk assessment engagements starting at $10,000 and going to $50,000 for large enterprises, but it very much depends on your company’s size, industry, and the project’s scope.
The bottom line
Cyberattacks are not going away. It’s quite the opposite: They will become more pervasive and sophisticated. It’s not a matter of if, but a matter of when. Once you have strong cybersecurity policy and procedures in place, it is crucial to keep updated and continually evaluate as tactics and threats evolve quickly. If your company does not have this type of expertise in-house, I recommend you find a cybersecurity advisor you trust to help you get there. Here’s to peace of mind in 2019!
Patrick Daniel is an IT Audit and Consulting Director at Moore Colson. He is responsible for enhancing IT auditing services focusing on Sarbanes-Oxley initiatives, compliance and security governance for many of Moore Colson’s major clients. He also leads many of the firm’s SOC audits and attestation engagements.