Rob Swystun, Pristine Advisers
We’re all hearing about “big data” these days, but what we tend not to hear about are big data breaches. And, apparently, they’re happening with alarming frequency.
About a year ago, the Ponemon Institute, an organization that studies data privacy and security, released its report ‘The Post Breach Boom.’ Commissioned by Solera Networks, the study polled 3,529 IT and IT security professionals in the U.S., Canada, UK, Australia, Brazil, Japan, Singapore and United Arab Emirates who represented companies that had at least one data security breach in the prior 2 years.
Some of the highlights from the report:
- According to the majority of respondents, data breaches have increased in both severity and frequency
- 63% of respondents say that knowing the root causes of breaches strengthens their organization’s security posture.
- Only 40% say they have the tools, personnel and funding to pinpoint the root causes.
- On average, it takes companies 80 days to discover a malicious breach.
- It takes them 123 days to resolve it.
- One third of malicious breaches are not being caught by any of the companies’ defences.
- These breaches are discovered when companies are notified by a third party.
- 34% of malicious breaches are discovered accidentally.
- 42% of malicious breaches targeted applications.
- 36% targeted user accounts.
- On average, malicious breaches ($840,000) are significantly more costly than non-malicious data breaches ($470,000).
- For non-malicious breaches, lost reputation, brand value and image were the most serious consequences.
- For malicious breaches, organizations suffered lost time and productivity followed by loss of reputation.
“Our study confirms that organizations are facing a growing flood of increasingly malicious data breaches, and they don’t have the tools, staff or resources to discover and resolve them,” Larry Ponemon, chairman and founder of Ponemon Institute, said at the time of the report’s release. “Meanwhile, months are passing as their key information assets are left exposed. The results demonstrate a clear need for greater and faster visibility—as well as a need to know the root cause of the breaches themselves—in order to close this persistent window of exposure.”
So, the question is: what can companies do about it?
In a Huffington Post piece, Harlan Loeb asked just that question … okay, not that exact question. But a similar one. He specifically asked what a company’s board can do about these data breaches.
Of course a board of directors isn’t directly responsible for preventing or solving cyber security breaches. In fact, a 2013 study by consulting firm McKinsey & Company revealed that about 30% of directors say their boards have limited to no understanding of not only the cyber security risks their companies are facing, but risks in general.
But, as Loeb points out, boards are in a unique position to enact preemptive measures against these risks.
Firstly, boards have the spending authority to identify and retain resources for risk management. They have full authorization to hire the experts needed to identify and mitigate potential risks. If that means shelling out money to hire the best minds from the pool of retired CIA, NSA or military experts to guard against cyber threats, boards have the power to do that.
A long-term solution to helping mitigate potential risks would be for a board to diversify its membership (and here shareholders can have influence with board nominations and voting) to include experts in the areas where the company has systemic and episodic risks in their given sector. Wouldn’t it make sense to have someone who understands the ins and outs of cyber security helping to run the company?
With technology constantly evolving and developing, new risks will continually pop up and multiply. By spending the money to hire the proper consultants and by diversifying their membership, boards can go a long way toward snuffing out potential risks before they become real problems.