Managing cybersecurity is everyone's responsibility from the small business owner to high level managers and board members
Cybersecurity is not an IT-executive issue but a business fiduciary responsibility. Its failures can irreparably damage a company's image as well as put the firm on life support. Thats why plans must be put in place to both help avoid corporate hacking and to respond to such incidences.
Its hard to miss the press coverage of the ongoing Target Corp. cybersecurity saga. Current reports claim hackers stole the personal information of at least 70 million Target customers (possibly as high as 100 million), including names, mailing addresses, telephone numbers and email addresses.
Neiman Marcus and at least three other well known U.S. retails also had cyber breaches, using a similar technique to the one used on Target. Other breaches occurred last year as well. While technically this is an IT problem, the reality is it can be a major business catastrophe. How this plays out is in the hands of the board and corporate executive management.
Remembering TJX and Other History Lessons
In 2007: TJX Companies was found to have exposed more than 94 million credit card records to hackers over a three-year period. The company had to spend tens of millions of dollars to clean up its cybersecurity infrastructure and create a $41 million settlement fund to compensate nearly 95 percent of the affected customers and banks.
In 2013: Ponemon Institute "Cost of a Data Breach Study: Global Analysis" found that the average total organizational cost of a data breach in the U.S. was $5.4 million while the average notification costs was $565,020. (Notification costs include IT activities associated with the creation of contact databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures, secondary contacts to mail or email bounce-backs, and inbound communication set-up.) Additionally, the lost-business costs in the U.S. resulting from the breaches currently average more than $3 million.
These startling statistics demonstrate that while IT plays a role in all of this, its imperative all those in positions of authority must be accountable for cybersecurityand not just after the fact. The least expensive way to deal with a breach is to prevent it from occurring in the first place. However, many studies find that top management doesnt play a sufficient role in the governance and management of cybersecurity.
About the author
Mr. Braunstein serves as Chairman/CEO and Executive Director of Research at the Robert Frances Group (RFG). In addition to his corporate role, he helps his clients wrestle with a range of business, management, regulatory, and technology issues.
He has deep and broad experience in business strategy management, business process management, enterprise systems architecture, financing, mission-critical systems, project and portfolio management, procurement, risk management, sustainability, and vendor management. Cal also chaired a Business Operational Risk Council whose membership consisted of a number of top global financial institutions.