“Bill Sweeney CTO, Americas, BAE Systems, sat down with Harvard Business Review and discussed the importance of executives personally knowing how strong their company’s cyber defenses are, as well as the expected responses for attacks or breaches.”
All companies connected to the internet are vulnerable to cyber attacks. And the potential losses are significant. Retail giant Target, for example, estimated its losses from a 2013 data breach at more than $250 million. What’s more, according to a recent survey conducted for BAE Systems of 300 managers in the financial services, insurance, and IT/tech industries in the U.S., 85% of respondents listed reputational damage as the most prominent result of a data breach, with 74% citing legal liability as the second largest concern.
Liability for data breaches that affect customers leads directly to the C-suite. Executives need to personally know how strong their company’s cyber defenses are, as well as the expected responses for attacks or breaches. But according to the survey, 40% admitted that they lacked a clear understanding of the cybersecurity protocols within their organizations. This should be an urgent wake-up call to executives that cybersecurity needs to be taken seriously throughout the organization.
Executives should start by understanding what protocols they currently have in place — and where they fall short. An annual security assessment is thought to be a best practice to prevent data breaches. If performed correctly, the security assessment reveals the residual risk — the number and scale of attacks that are likely to get through. If the residual risk is acceptable, then an annual review may be sufficient. However, if the residual risk is concerning, then a semiannual or even quarterly review may not be enough. This, of course, shifts the discussion to what level of residual risk is acceptable, depending on your company.
In many ways, this risk assessment reflects the new reality of cybersecurity. In a fast-moving, hyper-connected world, the approach needs to be dynamic rather than static. For example, a dynamic approach would be to schedule two annual reviews with two different vendors and stagger them by six months. In doing so, a company can cut in half the average time a successful attack goes undetected, rather than relying on annual reviews. Extending this model so that assessments are quarterly or “on demand” in response to predetermined events — or even random checks against known threats — are other alternatives.
Read the full article.