Managing cybersecurity is everyone’s responsibility from the small business owner to high level managers and board members

Cybersecurity is not an IT-executive issue but a business fiduciary responsibility. Its failures can irreparably damage a company’s image as well as put the firm on life support. That’s why plans must be put in place to both help avoid corporate hacking and to respond to such incidences.

It’s hard to miss the press coverage of the ongoing Target Corp. cybersecurity saga. Current reports claim hackers stole the personal information of at least 70 million Target customers (possibly as high as 100 million), including names, mailing addresses, telephone numbers and email addresses.

Neiman Marcus and at least three other well known U.S. retails also had cyber breaches, using a similar technique to the one used on Target. Other breaches occurred last year as well. While technically this is an IT problem, the reality is it can be a major business catastrophe. How this plays out is in the hands of the board and corporate executive management.

Remembering TJX and Other History Lessons

In 2007: TJX Companies was found to have exposed more than 94 million credit card records to hackers over a three-year period. The company had to spend tens of millions of dollars to clean up its cybersecurity infrastructure and create a $41 million settlement fund to compensate nearly 95 percent of the affected customers and banks.

In 2013: Ponemon Institute “Cost of a Data Breach Study: Global Analysis” found that the average total organizational cost of a data breach in the U.S. was $5.4 million while the average notification costs was $565,020. (Notification costs include IT activities associated with the creation of contact databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures, secondary contacts to mail or email bounce-backs, and inbound communication set-up.) Additionally, the lost-business costs in the U.S. resulting from the breaches currently average more than $3 million.

These startling statistics demonstrate that while IT plays a role in all of this, it’s imperative all those in positions of authority must be accountable for cybersecurity—and not just after the fact. The least expensive way to deal with a breach is to prevent it from occurring in the first place. However, many studies find that top management doesn’t play a sufficient role in the governance and management of cybersecurity.