Like most unwanted corporate events, failing to plan for a possible cyberattack drives up the costs if one occurs.
U.S. companies experience some of the highest costs from cyberattacks, according to the 2014 Cost of Data Breach Study from the Ponemon Institute. The report put the average total cost of a single data breach to U.S. companies at $5.9 million, and $195 per record of information. Among companies representing 10 countries, those in the U.S. also experienced the highest costs associated with post-breach activities and related to lost business.
The Ponemon study emphasized, however, what many proactive financial executives already know: by taking certain actions, they can potentially reduce the costs associated with a data breach. For instance, companies with an incident management plan were able to reduce the cost per compromised record by $12.77. Not only is it economically prudent to have an incident response (IR) plan, it’s a common-sense precaution that financial executives should insist upon.
After all, CFOs, in particular, bear some responsibility for cybersecurity. They are often expected to assess cybersecurity risks, help align cybersecurity strategy with business objectives and get buy-in from the board on necessary cybersecurity investments. Not to mention, the CFO is inevitably involved in helping to clean up the financial and legal mess that typically accompanies a data breach. CFOs are also in the best position to address the scrutiny companies may receive from the SEC in the aftermath of a cyberattack because the commission has listed cybersecurity as a priority in its compliance examination program.
Preparing for a Breach
CFOs can be instrumental in helping their organizations prepare for a possible cyberattack. Hoping it won’t happen or simply transferring responsibility for cybersecurity to the IT department are not good options. Financial executives can help their organizations shore up their cybersecurity defenses with the following actions:
Take inventory of your assets. Knowing the types of data the company has and their locations is a first step toward protecting valuable information assets. Through the process of data mapping and classification, organizations can identify and locate their sensitive data. Think of it as the digital equivalent of going through one’s home and inventorying valuables for insurance purposes. Normally, this exercise begins at a business unit level and then moves up to the enterprise-wide level. Data mapping can help companies answer important questions like: “What are the crown jewels of our business?,” “Is IP important?,” and “Are we an information-gathering or data-hosting firm?”
Assess vendors’ security measures. Companies also need to evaluate potential vulnerabilities across the entire business “ecosystem.” One aspect of the SEC’s compliance examinations is how well companies conduct due diligence in reviewing the cybersecurity efforts of third-party vendors. With this in mind, take into account the types of data held by business partners, vendors and other third parties — not just the data that is stored within the organization. Are the cybersecurity measures and data management processes of vendors up to par? These assurances can be gained through contractual agreements, assessments or audits.
Depending on an organization’s size, it may have a vendor management group that takes responsibility in this area, or it might require a combined effort, with accounting and IT security staff working together to evaluate vendors’ efforts to safeguard data.
Develop a risk profile. Companies won’t really know how vulnerable their systems are until they become hacking targets. Rather than lying in wait for the worst-case scenario to happen, consider hiring an outside firm to conduct a vulnerability assessment and penetration test (i.e., ethical hacking). Based on the outcome, companies can identify the biggest weaknesses in their systems and develop a risk profile. This information is also useful in deciding where to allocate resources and which areas to prioritize.
Keep in mind, though, that a vulnerability assessment only examines one point in time; organizations must remain vigilant in maintaining their cybersecurity efforts to ensure continued effectiveness.
Create an incident response team and develop a plan of action. It’s critical for companies to have an IR plan, which is somewhat different from a breach response plan in that it’s designed to avert a full-blown breach. A comprehensive IR plan details specific policies and procedures to be implemented in response to various types of incidents that could occur — e.g., a lost computer that contains sensitive information, an external data breach or the presence of malware.
Companies need a defined IR team to spearhead their efforts. Some organizations appoint a chief information security officer to oversee cybersecurity efforts and report to the internal audit leader or CFO. The creation of such a position can decrease the cost per record of information by $6.59, according to the Ponemon Institute’s 2014 Cost of Data Breach Study. The rest of the team should include representatives from all data custodians, such as HR, marketing, accounting, and R&D, as well as the security officer, IT director and a member of the executive management team (the CFO is a logical choice). Others that may be included are vendors or partners that have access to your data, public relations professionals, a federal law enforcement official or a specialized cybersecurity consultant.
The next step is to define roles and responsibilities, and establish checklists to ensure everyone is clear about what to do in response to different types of incidents and scenarios. The risk profile and IR plan should be living documents that are revisited periodically. Ideally, companies should conduct a vulnerability assessment and penetration test every six months, updating the risk profile and informing the IR team of the results so they are aware of the evolving strategy. With a thorough plan in place, companies can defuse a potential cybersecurity issue quickly and restore faith in their brand promptly.
Even with an IR team and plan in place, companies must maintain their vigilance and be proactive. The IR team should meet with stakeholders and update the risk profile regularly — at least once a quarter — and as an organization evolves, so should its risk profile.
In Case of a Breach
Planning and risk mitigation are important, but they cannot guarantee protection from an attack. With this in mind, it’s wise for companies to consider incorporating cybersecurity insurance as part of their efforts to manage the risk of attacks and threats. The Ponemon Institute’s research suggests cybersecurity insurance plays a role in improving the security posture of an organization and that companies with good security practices are more likely to purchase insurance.
Companies that experience a breach will want to immediately notify outside counsel, who will provide guidance as they start executing the IR plan. Be sure to bring all stakeholders to the table and keep any relevant parties apprised of the team’s findings.
The IT services adviser should act quickly to assess and report on the extent of the breach, ideally within 12-18 hours. An adviser will then perform data analytics on server logs, routers and network operations devices to understand anomalies and determine the nature of the breach and where it originated. The adviser will collect email from servers, as well as review unstructured data to determine whether an organization did what it could to prevent the breach.
Finally, upon completing the investigation, the adviser works with the IR team to preserve data for remediation purposes, patch holes or remove malware, and get the organization back online to avoid a delay in operations.
After addressing the initial crisis, the adviser also works with the in-house IT team to replace any corrupt systems and implement projects to address security weaknesses. Other types of services, such as litigation support, project management and public relations help may also be needed at this stage. In the longer term, companies will want to work with IT analysts, industry experts and other specialists to assess processes and make any necessary changes to the IR plan.
Planning eases the pain of an attack
Ignoring cybersecurity issues will ultimately cost you in numerous ways, but certainly in terms of dollars. Financial executives can and should play a key role in examining their organization’s cybersecurity measures, supporting efforts to bolster internal defenses and encouraging the development of a robust response plan. While companies cannot completely guard against a cyberattack, they can be prepared for one. And being prepared will not only provide peace of mind but will translate into savings in terms of time, money, reputational damage and headaches if a breach does occur.
Skip Westfall is a Managing Director and the Practice Leader of the Forensic Technology Services Practice of the Forensic, Investigative & Dispute Services Practice of Grant Thornton as well as Co-Chair for the firm’s Cyber Security Practice.