Even before the COVID pandemic, managing cybersecurity issues and compliance was a day-to-day struggle for businesses. Now, companies small and large, in technology, manufacturing, education, healthcare, service-based, and other industries, face an expanded challenge: managing information security for large-scale Work@Home teams that have moved from corporate offices to home offices.
The remote work environment is more complicated, with greater potential for security gaps that can be exploited by threat actors and opportunities for human error. Protecting confidential information generated by and entrusted to a company is more important than ever. This “pressure to protect” comes at a time when many businesses are experiencing shrinking budgets, and the decision to invest in tools to create, manage, and maintain a proactive information security program requires a compelling return on investment (ROI).
Let’s explore four factors to consider when comparing costs and benefits.
Managing Assets and Treating Risks Efficiently
The heart of protecting information is twofold: 1) understanding where it is stored and 2) assessing and treating risks that can result in incidents and breaches. That means you must have a complete inventory of your information assets, have an up-to-date risk assessment, and create a treatment plan that can be followed by all stakeholders.
Imagine managing those efforts manually using spreadsheets, emails, and multiple repositories. The information changes continuously, and it is incredibly time-consuming work, which generates labor expenses and decreases productivity throughout an organization. In what ways?
- Requires significant infosec resources to work with people from various departments to identify assets, evaluate risk, and keep track of constantly changing information
- Creates data silos that make it challenging to maintain accurate information about the status of assets and risks
- Causes more manual effort to obtain a unified and actionable view of all assets, risks, and treatment plans, including:
- Inability to understand the potential risk of assets and track mitigation efforts
- Difficulty analyzing information to measure compliance
- Lack of information needed to demonstrate compliance to clients, vendors, partners, and other third parties
- Lack of visibility leading to unintended cybersecurity exposure
In today’s business environment, we wouldn’t think of asking finance departments to manage the company’s accounts payable and receivable, expenses, etc. on spreadsheets stored on their G: drive. Desktop accounting software significantly reduces the time it takes to manage finances and makes it easy to report on them. The same rationale applies to information security and compliance management software.
Performance Visibility: Executive Stakeholders
Members of executive teams and Boards of Directors may not be well-versed on the ins and outs of managing cybersecurity risk, but it is one of their top concerns. As indicated in the PwC Annual Global CEO Survey, cyber threats top the list of issues CEOs view as extremely concerning to their organizations.
PwC 23rd Annual Global CEO Survey
CISOs and information security directors can expect to be the targets of frequent questions about the nature of an organization’s security posture and program, existing risks and gaps, and plan to mitigate those risks. Executive teams are looking for a comprehensive understanding of cyber risk, and they are increasing their budgets to meet those goals. And while some leadership teams believe they understand their information security programs well enough to evaluate risks, as indicated in the survey results from the EY Global Information Security Survey below, most do not.
Source: EY Global Information Security Survey 2018-2019
Without a platform to aggregate infosec program data, information security teams are often left ?flat-footed? when asked to report the status of infosec efforts and risk management progress to the executive team or board of directors.
On the other hand (or foot, in this case), the ability to demonstrate progress via a simple dashboard and view detailed risk management progress can help justify the investment in an infosec compliance platform. And, that ability can help the infosec team stand out as the heroes.
Access to Cyber Insurance Protection
With data breach costs skyrocketing, cyber insurance has gained popularity with business leaders. Similar to liability insurance, which is designed to cover business problems, physical risks to locations, and natural disasters, cyber insurance protects against cyber threats.
Cyber insurance works in combination with a comprehensive information security program; it’s not a replacement for one. Demonstrating a strong security posture can deliver benefits in this area, such as lower insurance premiums. Plus, as CISCO notes in its cyber insurance overview, “If your business has not invested in the appropriate cybersecurity solutions, then you may not qualify for insurance or it could be limited and expensive.”
Using compliance tools to manage information security program makes it easy to validate your security posture with insurance providers and the many other vendors with whom you do business.
Avoiding the Ultimate Cost: A Data Breach
When a cybersecurity incident occurs, whether accidental or as a result of an intruder or hacker, it can result in exposure of sensitive data, disrupt business operations, create legal headaches, and put the organization at risk for financial and regulatory liabilities.
In some cases, a breach may not be discovered until days, weeks, or even months after the incident has occurred. The longer it takes to identify the incident, the more data may be exposed, and higher financial penalties could be incurred.
According to a report from IBM and the Ponemon Institute, the average cost of a data breach in 2020 is $3.86 million. Let’s break down the costs that may be included in resolving a cyber-attack:
- Overtime Payroll Costs: Overtime pay for staff to diagnose and resolve the situation, as well as productivity losses related to lack of network/software/system access by employees
- Technical and Legal Consultant Costs: To augment existing staff, provide additional issue resolution expertise, and offer recommendations to reduce the potential of a future security incident
- Breach Mitigation Efforts: Time and effort to update equipment and software, verify databases, and implement updated protections on devices throughout the organization’s network
- Regulatory Penalties: Financial penalties assessed by government entities or industry organizations for data exposure and breaches
- Reduction of Sales and Lost Revenue
- From customers whose data may have been exposed and are wary of the company’s ability to keep their data secure
- Operational disruptions that cause a pause in delivering goods or services to customers in a timely way
- Due to the organization’s poor reputation in the marketplace
- Due to network or website outages that restrict online purchases
- Ransomware Payment: Depending on the severity of the situation and type of business, stakeholders may decide to pay the amount demanded by hackers so they can rapidly return to operations
- Credit Monitoring Costs: Organizations that experience a breach often pay for credit monitoring services for companies or individuals whose data was exposed
- Security Program Enhancements: Updating procedures and processes to reduce or eliminate the reoccurrence of another security incursion
- Higher Insurance Premiums: Increased costs for Cybersecurity Insurance coverage
The costs to remedy an information security breach can vary from thousands to hundreds-of-thousands of dollars or more. It can take days, weeks, or even months to resolve. And, the public relations impact can be just as damaging. A data breach can affect a business’ brand for months or even years, which generates higher costs to maintain existing customers and missed opportunities with prospects who may choose competitors.
According to Information Age, “Research has shown that up to a third of customers in retail, finance, and healthcare will stop doing business with organizations that have been breached. In addition, companies that have experienced a breach often see an increased cost when it comes to acquiring new customers.”
The Next Steps
With cybercrime and ransomware incidents growing in frequency and intensity, it simply makes sense to ensure your infosec team has the tools they need to manage data security compliance efficiently. For the cost of a summer intern, you can have a platform that streamlines your compliance process, ensures you are prepared to demonstrate the strength of your security program, provide valuable insights to executive teams, and save time and money across the organization.
If you’re just getting started with information security, or you’re looking to enhance an existing initiative, check out our guide: 5 Steps to a Sustainable Information Security Program. It provides practical information to help you create, manage, analyze, and monitor a successful infosec process.
ORRIOS’ OnTrack ® platform enables organizations to develop effective data privacy and information security programs so that they can demonstrate compliance for customers, regulators, and stakeholders. OnTrack helps guide compliance teams in creating, managing, analyzing, monitoring, and continuously improving sound compliance programs for a variety of compliance frameworks, standards, and regulatory requirements.
Contact Maureen Kelly at maureen.kelly@orrios.com or 404-378-7233 for more information.
Recent Comments