Here’s a scary situation: A new survey conducted by Microsoft and Marsh found that two-thirds of 1,300 senior executives polled said cybersecurity was a top five risk management priority for their company.
But while companies fear the impact of a cyberattack, only 19 percent are highly confident in their organization’s ability to prevent and respond to a hack. In fact, only 30 percent have developed a plan to respond to a cyberattack.
Cybersecurity expert John Barchie of Arrakis Consulting has worked with Fortune 10 organizations consulting on physical and cybersecurity issues. He believes all can create a cyberattack response and prevention plan.
Q: Why doesn’t every business have a cybersecurity plan? What’s the hesitation?
A: Typically, businesses don’t have a cybersecuity plan because they don’t have an information security advocate. InfoSec is a newer business function and has not matured to the level of “sales” or “accounting,” it is generally an afterthought.
Sometimes organizations will sign contracts with extensive cybersecurity requirements in their Schedules without a thought to the costs of getting the organization to that level of security posture would mean. The role of CISO [Chief Information Security Officer] isn’t just for show anymore. And, an organization that doesn’t have one, likely doesn’t have a strong cybersecurity plan. The hesitation is the tone at the top. If the board doesn’t ask for a CISO, if the executive team doesn’t think they need a CISO, then the organization isn’t going to get a CISO. Again, it is a maturing of business, and the concept of protecting the data that is being captured and/or generated, some businesses still think it is their data to use as they see fit, instead of their role of being a custodian who needs to protect the data. Finally, some organizations, fully aware of the situation, or thinking they are fully aware, chose to forgo a cybersecurity plan because they feel their intellectual property is of little value or that they don’t hold that much ‘customer data’ or that they are just not a very good target. None of which tends to be true.
Q: Why should every business — large and small — have a cybersecurity plan?
A: If an organization is holding other people’s data, it is rapidly becoming a legal issue. Failure to perform due diligence on protecting that data can lead to successful lawsuits, which traditionally, in business, is more expensive than just breach notification and providing free identity theft services. Lack of a written cybersecurity plan equates to lack of due diligence. Even without other people’s data, organizations that generate intellectual property tend to grossly undervalue their intellectual property.
Q: Why is prevention important?
A: A written cybersecurity plan provides the organization something to test against. Management can constantly review the security controls as described in the plan to ensure they are still effective. Without a plan, it is much less likely that the impact to the organization, while a security incident is taking place, can be reduced. It appears that across the board about 10 percent of organizations are compromised yearly, regardless of the rigor of their security posture. However, those with a written and constantly reviewed and tested (audited) cybersecurity plans suffer less impact during an incident than organizations without a written plan.
Q: What is a typical response and what might work better for businesses that have gone through an attack?
A: Businesses that go through an attack without an understanding of cybersecurity or a plan that defines their environment are dependent upon the local heroes they’ve hired that have the institutional knowledge to protect the organization. With a written plan the organization can more easily surge in experts to identify and shut down incidents as they are happening, or a least gain a broader understanding of what happened in order to prevent future incidents. Most organizations, after they’ve taken a significant loss, after the horse has left the barn so to speak, will pay to generate a plan and execute a cybersecurity program, at least for a while. But as the pressures of business build and the “problem” appears to go away, or be non-existent, they tend to reduce the resources toward the cybersecurity function as “the emergency is over.” It takes great discipline for an organization to fund their cybersecurity function fully, from year to year. There may be, to some executives, solid business reasons for not funding a cybersecurity program, if funding a department costs $1 million annually and the maximum loss due to cybersecurity incidents an organization typically suffers is $500,000, it could seem to executive management that tbe cybersecurity spend is foolish. However, given the risk of legal, regulatory and now, failure to meet contractual obligations, this type of decision may be considered a lack of due care. It is a sticky wicket and organizations need to start looking at cybersecurity as a business function that needs to be evaluated under business rules. Organizations that don’t have a CISO and a written cybersecurity program are under the gun when it comes to winning lawsuits after an incident, or even marketing their product to a wary consumer.