With data breaches hitting the news headlines almost on a daily basis, it is shocking that global security budgets fell 4% in 2014 compared with the year before, according to a new PwC survey of almost 10,000 executives. The report reveals that the number of reported security incidents increased by 48%, to 42.8 million, the equivalent to 120,000 attacks a day. Meanwhile, the average cost of managing and mitigating data breaches rose to $2.7m per incident, over a third more than in 2013.
With these controversial figures in mind, the need to change the board’s view on cyber security is urgent. Here are seven facts your board needs to be aware of:
1. Cyber security is a board’s responsibility
This is probably one of the biggest mindset changes boards need to come to terms with. For Target’s former CEO, Gregg Steinhafel, this responsibility must have been a daunting one, forcing him to eventually step down after the company was breached and sales fell.
While directors will have little or no control over the threat, they can drive change internally, for example by raising staff awareness, appointing a chief information security officer (CISO) and requesting regular cyber security reports.
Worryingly, 32.5% of the respondents to the Boardroom Cyber Watch Survey 2014 stated that their boards receive no regular report on cyber security. Although nearly 63% of boards receive reports at least monthly, some 21% of respondents believe their company’s board reports fail to provide the information necessary for them to make decisions.
The Global State of Information Security® Survey 2014 revealed that insufficient capital expenditure (24%), lack of an actionable vision of business impact on information security (24%) and lack of board leadership (23%) are among the key obstacles for improving information security effectiveness.
2. Increasing the cyber security budget is necessary
Closely related to the ‘responsibility’ aspect above, providing an adequate budget for cyber security is also the board’s duty. Insufficient capital expenditure was deemed the top obstacle (24%) in the State of Information Security® Survey 2014. It is almost scandalous that, despite the rise in cyber attacks, businesses spend less on cyber security, which was also confirmed by the findings of the PwC’s Global State of Information Security Survey® 2015.
It is important that cyber security expenditure is directed into all areas that affect security, i.e. technology, people and processes. For example, you can install all the anti-virus and encryption software you want, but this won’t stop an employee clicking on a malicious link or writing their password on a post-it note. A lack of processes can lead to data breaches, too – what and how often to install patches and updates for software should be managed by a process.
As a former CIO and current instructor with the New York Institute of Finance Jim Noble wrote in an article for WSJ, spending less than 5% of the overall IT budget on cyber security should ring alarm bells.
3. Data breaches are more expensive than fighting them
Leading on from the previous point, if board members perceive the implementation of an information security management system as an expensive project, then they should ask how much a breach would cost them.
PwC’s survey also revealed that the average cost of managing and mitigating breaches rose to $2.7m per incident, over a third more than in 2013.
Having a robust cyber security framework in place also means that organisations can recover from a breach more quickly, since it is expected that the necessary processes and procedures will be in place to enable this.
4. Data breaches – not a matter of ‘if’, but ‘when’
While studies show that many organisations have raised the bar on security, few of them have kept pace with today’s escalating risks, and fewer still are prepared to manage future threats.
According to the Boardroom Cyber Watch Survey 2014, almost 36% of respondents believe their organisation was probably subjected to an undetected cyber attack in the past year, while almost 21% did not know. The Mandiant M-Trend Report revealed that the average number of days that the attackers were present on a victim’s network before they were discovered is 229.
Savvy organisations will accept that sooner or later their defences may be breached, and take measures to ensure that they will be able to recover quickly once an attack has taken place.
5. Customers and stakeholders care about cyber security
This matter seems to have been long ignored by many companies, but big data breaches on consumer-oriented companies have demonstrated that data breaches can indeed lead to loss of customers’ and stakeholders’ trust. If boards are primarily interested in revenue and profits, then they should be worried. Target’s earnings fell by 46% and sales fell by 3.2% after the breach, causing the retail company significant losses during the holiday season, news agencies reported.
55% of the respondents to the Boardroom Cyber Watch Survey 2014 stated that their customers had inquired about their information security credentials.
6. Lack of cyber security can become a hindrance for business efficiency and growth
Whether you are an SME or a large organisation, your business success depends a lot on your organisation’s ability to innovate and take advantage of technology. But the latter is increasingly affected by emerging cyber threats. Cloud, the Internet of Things, social media apps and other technologies make it easier for hackers to target employees and consumers alike, stealing their confidential and personal data.
The 2013 State Of Cloud Computing research, carried out by Information Week, revealed that 51% of organisations are reluctant to migrate to the Cloud due to concerns about data security flaws. But not using modern technology out of fear of a breach can be a hindrance to business efficiency and innovation, and hence competitiveness. On the other side, failure to protect the information that can be accessed through this technology can have devastating consequences.
It is vital that the board works with the IT and other departments to implement cyber security across the business and enable growth in a secure environment.
7. Cyber security management frameworks play an important role
Finally, boards should set the expectation that management will implement an adequate cyber security framework. The board will directly benefit if their organisation uses an international standard, like ISO27001, to achieve that as it will be a proof to them, other stakeholders and customers that the necessary policies and security controls have been implemented. By using ISO27001, the board will be able to get access to cyber security expertise to assist in understanding the relevant cyber risks to the organisation and how they are being managed, as well as ensuring adequate budget allocation and security staff awareness programme.
Considering the above, it is not surprising that the number of global ISO27001 certificates has grown year-on-year. The figures in the ISO Survey 2013 show that certification to ISO27001 has grown by 14% globally and by 25% in Europe. The USA has the tenth highest number of ISO27001 certificates globally, combined with growth of 36%, while ISO27001 certificates in the UK were up by 13% on 2012.
Are you interested in implementing an information security framework?
IT Governance has led more than 140 successful certifications to ISO27001 around the world. Access our ISO27001 global packaged solutions at one click and start reaping the benefits today.
|Do It Yourself||Get A Little Help||Get A Lot Of Help||We’ll Do It For You|