Data breach: Why it’s time to adopt a risk-based approach to cybersecurity
The recent high-profile ransomware attack on foreign currency exchange specialist Travelex highlights the devastating results of a targeted cyber-attack. In the weeks following the initial attack, Travelex struggled to bring its customer-facing systems back online. Worse still, despite Travelex’s assurances that no customer data had been compromised, hackers were demanding $6 million for 5GB of sensitive customer information they claim to have downloaded.
Providing services to some of the world’s largest banking corporations including HSBC, Lloyds, Barclays and RBS, the attack will clearly have a significant long-term impact on Travelex’s reputation and revenues. The company also potentially faces a catastrophic fine if customer data is found to have been accessed illegally.
The escalating costs and consequences of data breach
In the EU, the financial repercussions of a data breach can be significant. Falling foul of GDPR gives supervisory authorities the power to issue fines of up to €20 million or 4% of an organization’s annual global turnover, whichever is the higher. Meanwhile, from a reputational standpoint, a data breach has major ramifications for customer confidence and loyalty.
With cybercriminals representing a persistent risk to enterprise wellbeing, it’s little wonder that CEOs, CFOs, CISOs and CIOs now view cybersecurity as a top priority.
From lost business and falling share prices to regulatory fines and remediation costs, data breaches can have far-reaching and devastating financial consequences. According to the 2019 Cost of a Data Breach study conducted by the Ponemon Institute, the average cost of a data breach in the UK was $4.88 million – up 10.5% on the previous year.
The same report also found that UK companies took an average of 171 days to identify a breach and an average of 72 days to contain them, and highlighted that the accumulated costs in the second and third years post breach were highest for organizations operating in highly regulated environments such as healthcare, financial services and pharmaceuticals.
Building a cybersafe business requires enterprise-wide leadership collaboration
Research confirms that organizations with a well informed and involved CEO and board of directors are most likely to be successful at creating a strong security posture. Compliance with external and internal regulations and governance programs that are cascaded from above, together with effective oversight and management from leadership helps the entire organization view data security as a strategic rather than tactical activity.
Similarly, closely aligning the priorities of the IT operations and IT security functions will help ensure that the resolution and remediation of security problems can be completed successfully and that a strong security posture can be accomplished without impacting on enterprise productivity.
Strong accountability models, in which decision-making on risk rests with those that have the authority and overview to address these issues, can go a long way to ensuring that systemic security problems are not ignored or brushed under the carpet. At the end of the day, data security should not be viewed as simply a technical problem that’s handled by technical personnel working in IT.
Best practices for minimizing cyber risk
Knowing there’s a need to address cybersecurity and making the right decisions about how much money to invest and on what is one of the top challenges today’s enterprise leaders face. With the threat landscape constantly evolving, the following practices can help organizations make the shift to a more proactive risk-based approach.
1. Understand your organization’s threat profile – Undertaking a detailed risk evaluation adapted to your business activities and infrastructure is the starting point. Profiling and scoring typical attacker types and the likely sophistication of their endeavors will help inform the strategies of your security analysts and provide insight into what cybersecurity products should top the investment list.
Unfortunately, research shows that all too often organizations throw money at the latest and most highly publicized security exploits rather than the most persistent and likely vectors for attack. For example, web application vulnerabilities have been the top cybersecurity risk for several years, yet only 3% of IT spend is currently directed at web application security.
2. Get outside help – Bringing in external expertise to evaluate and benchmark the organization’s security posture against similar organizations operating in the same market will help verify if information security policies and plans are appropriate to the identified enterprise risk profile. Utilize independent consultants to undertake security and risk management reviews to boost security resilience and help leaders to define an appropriate investment strategy for cyber security tools.
3. Consider cyber liability insurance – Utilizing experts to conduct a detailed evaluation of the organization’s cyber liability insurance cover to ensure it is adequate will also help to highlight ways in which doing security better could deliver additional commercial benefits – like a lower premium. Gaining full visibility into the cyber health of the company and documenting the security measures and controls in place can help organizations identify where they need additional coverage for crucial areas. Armed with a digital resilience score, organizations will be well placed to cover more risks for less.
4. Get CISOs talking – CISOs need to capitalize on every opportunity to talk to business leaders and communicate the importance of prioritizing cyber risk and building robust internal controls. Rather than being viewed as a roadblock to potential innovation, closer collaboration with executive teams and peers across the business will foster open dialogue and problem solving that acts as a business catalyst for the enterprise.
5. Evaluate, check and review – Undertake regular risk audits to reassess the current state of play, evaluating the impact of any changes such as the implementation of new technologies, the introduction of new revenue lines or the incorporation of new units or company takeovers. This activity should be complemented by periodic testing of disaster recovery and business continuity plans to ensure everything is in place and works as expected, to mitigate the potential damage resulting from a cyber breach.
6. Take steps to protect against insider threats – Malicious insiders are the leading cause of data breaches, so putting in place programs to monitor users’ behavior is vital. Instituting good information management practices that include mobile device management, network monitoring and access control management will help eliminate the potential risk of negligence by naïve employees and contractors.
With business leaders focused on forging ahead with their digital business initiatives that enable new customer interactions and service delivery, getting everyone on board with managing security and risk exposure will be key to protecting the enterprise against malicious attack.
To succeed, organizations will need to take a proactive stance that incorporates risk-based decision making that ultimately improves business agility.