This post is based on findings from our report on a survey of more than 370 board members and C-suite executives about the risks they consider top-of-mind for the coming year. The survey was conducted for the second consecutive year by North Carolina State University’s ERM Initiative and Protiviti. For more information, visit www.protiviti.com/toprisks.
One of the more interesting dichotomies to surface in Protiviti’s Executive Perspectives on Top Risks for 2014 survey is a declining concern – albeit slight – over operational cybersecurity. This is occurring in the face of a fast-rising strategic concern that disruptive technological innovation is evolving faster than organizations are comfortable in managing.
I know I don’t have to convince anyone that cybercrime is a real danger – and there’s plenty of data to prove it. The White House recently released final voluntary cybersecurity standards, the Cybersecurity Framework. These standards are viewed as a national imperative. They are created for private businesses, especially those that make up the nation’s “critical infrastructure,” which includes telecommunications companies and utilities. The Framework focuses on identification, protection, deterrence, response and recovery. (For more information, read our Flash Report on the new Cybersecurity Framework).
There is a growing body of evidence that security breaches to date, while embarrassing, may not be creating long-term reputational damage, except in extreme situations. Over time, the public is starting to recognize that cybercrime losses are a cost of doing business, similar to investment losses or normal retail theft. A July 2013 report from the Center for Strategic and International Studies, a nonprofit global security think tank in Washington, D.C., placed the scope of cybercrime at up to 1 percent of the global gross domestic product. The Center also suggests that the only real and lasting damage from cybercrime comes from the theft of intellectual property.
That doesn’t qualify as “good news,” however. Make no mistake about it. Cybercrime and cyber espionage cost the global economy billions of dollars every year. Further, this dollar amount, large as it is likely to be, may not fully reflect the damage to the global economy. Cyber espionage and crime slow the pace of innovation, distort trade and bring with it the social costs associated with crime and job loss.
Just because people are recognizing security breaches as a common threat doesn’t mean that organizations shouldn’t do everything in their power to prevent cybercrime and eliminate potential breaches.
Here are some recommendations to address critical cybersecurity issues. These are summarized from Issue 44 of our Board Perspectives: Risk Oversight newsletter:
1) Make incident response a top management priority to avoid these common pitfalls:
- Developing a plan “good enough” to satisfy the business and non-IT personnel in the organization
- Failing to include an escalation plan, and appropriate rules, responsibilities and protocols for the plan’s execution
- Testing just enough to demonstrate compliance, but failing to test the plan thoroughly
2) Build a preventative human and technology security perimeter. By building a strong communication program and heightening the overall risk consciousness regarding cybersecurity, companies can help their employees recognize risky behavior and respond to attacks. Continuing employee education, alongside strong technical security controls, will help clarify how to use the technology in question.
3) Use escalation protocols to increase visibility at the top. We still see too many boards treating cybersecurity as “an IT issue” rather than as a business issue.
4) Create an operational framework for incident response. Companies should establish an incident response program that has management visibility and sponsorship.
5) Consider retaining appropriate external expertise.
Having a strong plan to manage cyber risk is as important as managing through the economic, political and regulatory environment. For more on this topic, see my recent blog post, Cybersecurity Framework: Where Do We Go From Here?