It’s been widely reported that a data breach is expensive. How expensive? According to the latest Ponemon research report, the average cost of a data breach is now as high as $4 million. Despite this jaw-dropping number, not all boards, C-levels, and major shareholders are adequately responding to protect their financial interests.
Obviously, they should be. After all, there are only two types of companies: those that have been breached and those that don’t know they have.
There’s a good theory explaining this problem. In a recent HBR article, the authors report that “even the most significant recent breaches had very little impact on the company’s stock price.”
Maybe shareholders are numb to the news of data breaches. But the authors suspect the real problem is that the longer term effects of lost or stolen sensitive data, intellectual property, brand are harder to accurately measure and quantify. As a result, shareholders only react if the breach has a direct impact on the bottom line – such as litigation charges or immediate impact to the company’s profitability.
Is there a way to overcome the short-game mentality? Yes! Since the board acts on behalf of their shareholders to run the day to day affairs of the business, they can start by asking the right questions and stay informed about this constantly evolving landscape.
Here are three cybersecurity questions your board should be asking the company’s management:
1. If we experience a breach, where and when will the breach impact the balance sheet?
Boards need to understand that even though a stock price might be minimally impacted immediately after a breach, there can be longer term consequences in the form of litigation costs, regulatory fines at state or federal levels, costly security upgrades, and lost business due to brand damage.
Even though the stock price increased after Target’s big breach, they still ended up spending $100 million to upgrade data security. “The company lost a total of about $236 million in breach-related costs, $90 million of which were offset by insurance. A judge recently ruled that Target will have to defend itself against accusations of negligence by banks, credit unions and consumers when it came to preventing the 2013 security breach. The stock price declined 0.3% after the judge stated Target would have to face civil suits. Several banks are suing the company claiming that its negligence cost them tens of millions.”1
2. Where are our crown jewels, and how are we going to protect them?
Yes, some companies focus heavily on perimeter security. The truth is that no perimeter security is 100% effective. Therefore, what you really need are security solutions that can detect and stop attackers who are already inside. This is often referred to as user behavioral analytics (UBA).
UBA is a secondary defense: it establishes a baseline of normal user file and system activity in an environment, and then continuously monitors servers. When something out of the ordinary is detected, for instance an organization’s intellectual property being copied in bulk for eventual exfilitration by the attackers, an alert is triggered and then IT can respond.
Take a look at OPM’s breach. US-CERT identified numerous gaps in the OPM’s centralized logging strategy: “Gaps in OPM’s audit logging capability likely limited OPM’s ability to answer important forensic and threat assessment questions related to the incident discovered in 2014. This limited capability also undermined OPM’s ability to timely detect the data breaches that were eventually announced in June and July 2015.”
The big takeaway from US-CERT’s gap analysis is that traditional security strategies have a severe vulnerability when it comes to insider threats. OPM’s Director of IT Security Operations, Jeff Wagner’s admitted that OPM had focused heavily on perimeter security, but lacked the technology necessary to detect and stop attackers who were already inside.
3. Who is our CISO or CIO and does s/he have the resources to deal with the threat environment?
For many organizations, their crown jewels – IP, trade secrets, confidential information– are worth far more than the cost of protecting the data. It should be a no brainer to give the security department the resources for increasing the security budget. In the latest 2016 Deloitte-National Association of State Chief Information Officers (NASCIO) Cybersecurity Study, 80% of the respondents say inadequate funding is one of the top barriers to effectively address cybersecurity threats.
So boards need to step up, redirect priorities, and give management the financial resources to get the job done.