Another year, another Groundhog Day. According to folklore, if its cloudy when a groundhog emerges from its burrow, then spring will come early; if it’s sunny and the groundhog “sees its shadow” then winter weather will persist for six more weeks.
Luckily – we are in for an early spring (no shadow!)
In the world of cybersecurity, it seems like company executives fear data breaches like we fear the groundhog seeing its shadow. Even with the countless breaches over the last several years, companies have continued to burrow themselves, ignoring the obvious and hoping the threat of cyber fraud will disappear.
But let’s take a real look at what’s happened:
- The U.S. had an overall increase in cybercrime of 19% between 2014 and 2015
- There were 781 recorded data breaches involving more than 169 million consumer records in 2015
- In 2015, Forrester predicted that 60% of companies would uncover a breach of sensitive data and even more breaches would go undetected
- Since 2009, over 120 million people have been compromised in more than 1,100 separate breaches, which is a third of the U.S. population
You’ve Been Breached – Who’s the Last People You Want to Tell?
The Board.
Why?
Well, it is typically a board’s job to have its pulse on the workings of a company, and this includes operations and security. No board ever wants to hear that there was a data breach happening on their watch. According to Ernst & Young (EY), “The risk bookend is relatively clear-cut for boards, including the potential impacts of increased costs, threatened business continuity, and reputational and customer experience concerns.”
Back in 2014, Shark Tanks’ entrepreneur and businessman Robert Herjavec spoke to Fortune Live just after the Sony Pictures data breach reports broke. He gave an interesting opinion as to how corporations should be viewing cyber attacks and why top executives need to be more involved in shaping their company’s cyber strategy.
“The Target breach in 2013 caused high level executives to be exposed. The CEO of Target was fired due to the breach. We saw Board level interest in a computer breach – this had never happened before. A year later, the Sony breaches causes a class-action lawsuit by Sony employees, and company-wide communication outreach suggested credit card re-issues and password changes for anyone involved with the company. Most of these breaches occurring have occurred 6 months before they were even found out. We are not that far off from a cyber attack that will affect human life. It’s time for full awareness of board-level executives as well as a security plan in place to fight against an inevitable data breach.”
Never mind the fact that data breaches can irreparably damage a company’s reputation and financially destroy shareholders.
- The mean number of days it takes to resolve cyber-attacks is 46, with an average cost of $21,155 per day – a total cost of $973,130 over the 46-day remediation period.
- The yearly mean cost was up 13% at $7.7M with a range from $0.31M to $65M.
- Detection of fraud proves to be the most costly internal activity, with detection and recovery costs accounting for 53% of the total internal activity cost with productivity loss and direct labor representing the majority of these costs.
Boards Are Making Cybersecurity a Top Priority
According to Ruby Sharma of the EY Center for Board Matters, “Cyber risk is top of mind as companies and their boards more clearly recognize the cyber landscape and engage in discussions about not only mitigating cyber risks, but also how to live with them.”
Additionally, The Wall Street Journal reported that boards are tasked with hiring top technology experts outside of their companies to implement and support their fight.
“There is a realization that boards need to evolve as businesses evolve,” Ann Yerger, executive director of the Center, told WSJ. “Boards are responsible for ensuring that the necessary infrastructure is established to prevent the onset of cyberthreats. Companies must also be prepared to effectively mitigate malicious activities if, in fact, they do take place.”
What Does 2016 Hold in Store?
Some industries have been quicker to adapt heightened cybersecurity measures and plans more than others. Big retailers that took the punch of a data breach right on the chin have been proactive in revamping their security plans. Other industries, like healthcare, have been slower to the gate, and are becoming a favorite of cyber criminals. In fact, According to the Office of Civil Rights (OCR) under Health and Human Service, there were 253 healthcare breaches in 2015, with a combined loss of over 112 million records.
This past September, the Scottsdale Institute CIO Summit brought together eight leading healthcare CIO’s to discuss the challenges in healthcare security as well as the best ways to stay competitive in a changing market. The overall consensus was that more support was needed at the senior leadership level
“In order to be successful, CEOs will need to be much more involved as will Board and audit and compliance committees. The Board may need to be educated and have an advanced understanding of the issues surrounding health data security. CEOs need to understand there may be much more expense involved with managing security than they have traditionally budgeted and in addition there may be more difficult change management leadership needed at the executive level.”
Like the 2014 CIO Summit, implementing data encryption strategies was a key discussion point, and one that healthcare organizations should keep top of mind to help diminish security risks. For example, Bluefin provides healthcare and retail organizations with a PCI-validated point-to-point encryption (P2PE) product suite that is designed to secure payment data through encryption of data in a PCI-approved P2PE device.
Encrypting data within the device prevents clear-text cardholder data from reaching the organization’s system or network, where it could be exposed in the event of a data breach.
Payment security is clearly key to any company’s overall cybersecurity strategy. We need look no further than Target’s data breach to see the integral role payment security plays in cybersecurity. Two legal complaints filed against Target allege that Target’s board “failed to take adequate measures to protect confidential consumer information and compounded that failure by “failing to provide prompt and adequate notice to customers” of the breach and lulling them into a “false sense of security” through statements. The complaints note governmental investigations as well as class action lawsuits as damaging to the company.”
Like Groundhog Day, time will tell the story on whether Board members retreat back to their burrow (or boardroom) or stand to face their own shadow in the blazing light of cyber fraud.