The Crucial Need for Cyber Security Planning
The need for Cyber Security planning is increasing in nearly every industry across the globe. Most recently, Equifax fell victim along with Target. Companies are progressively vulnerable to cyber security threats due to internal and external factors and the aftermath can be devastating.
The recent data breach at Equifax that compromised the personal data of 145.5 million Equifax customers last year should be a lesson learned to everyone. This incident cost Equifax over $242 million in related expenses. This included a whopping $45.7 million in IT and security costs which was used to transform the company’s IT infrastructure and improve application, network, and data security. Equifax also developed and launched Lock and Alert, a free service for consumers to lock and unlock their own Equifax credit report to give control to the consumer. Another large component of the cost was $28.9 million in legal and investigative fees, which may further increase over time as investigations are still underway.
What is Equifax doing to keep this from happening again? According to their website: “We engaged a leading, independent cybersecurity firm to conduct an assessment and provide recommendations on steps that can be taken to help prevent this type of incident from happening again. We continue to work tirelessly to support consumers and make the necessary changes to minimize the risk that something like this happens again. We have taken numerous steps to review and enhance our cybersecurity practices, and we continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements.” Is this good enough, or should Equifax implement other strategies to ensure this never happens again?
Some might believe that cybersecurity insurance is a solution or a method to combat loss of revenue. Unfortunately, insurance is a bad choice as a recovery strategy, and it doesn’t even begin to factor in reputational damage, loss of customers, class action lawsuits, legal fees, and loss of potential stock market shares and revenue. Equifax carries $125 million in cybersecurity insurance, with a $7.5 million deductible.
This cost is a hefty line item for any organization without a guarantee that it will prevent cyber security breaches or keep their customer data safe. Organizations can do better than that and should work toward the prevention of hacks and breaches rather than only budget to clean up the mess afterwards. When you are managing credit reports and personal data of millions of people, your first line of defense is data security.
Wouldn’t it be a wiser decision to plan ahead for cyber security breaches with a clear and complete business continuity plan and business impact analysis with measured risk management and recovery strategies? I bet the 145.5 million Equifax consumers would agree.
The Equifax incident involved criminals accessing victim’s private information such as names, Social Security numbers, birth dates, addresses, credit card numbers and driver’s license numbers. Law enforcement continues to investigate the situation.
As part of the Equifax recovery efforts, the company is offering identity theft protection and credit file monitoring services at no cost to the consumers whose information was stolen. The affected consumers not only experienced a monumental breach of trust and identity theft but an inconvenience and possible catastrophe to their credit record. Equifax gave consumers options on what they could do such as obtain a free copy of their credit report, place a freeze or lock on their credit report, place a fraud alert on their credit reports with three major credit bureaus and monitor their account statements by reporting any unauthorized charges to the credit card companies and financial institutions.
Target has also been hit hard by cyber security breaches that affected 70 million consumers and cost the retailer nearly $300 million, in addition to potential loss of customers, product, and reputation. This was a wide-spread cyber security breach and the true impact may never be realized.
Cyber Security attacks and breaches can happen easier than companies and individuals may realize. One hacker could infiltrate and corrupt your entire network from halfway across the world with the click of a mouse, stealing personal data in the process. Or an external vendor could log in to your company’s Wi-Fi and open a virus which could threaten the entire infrastructure of the organization. Further, an employee could click on a malicious link through their smartphone while logged in to the company Wi-Fi and compromise the security of a company.
Billions of individuals are also at risk as anyone who uses electronic devices could potentially be a victim of cyber security attacks. This could come from accepting a fake friend request on social media, using your credit card at a merchant or putting your personal information on a website through a non-secure network.
While I have only focused on two examples, I am sure that many more come to mind as you read this. Regardless of the name of the company, the outcomes are always the same, bad press, lack of stakeholder confidence, and the bleeding of money that insurance cannot stop.
These examples exemplify the need for both Information Security and Business Continuity professionals within the organization, to present to leadership that Insurance is not a true recovery strategy, nor one that is easy to recovery from. Instead the two disciplines can easily integrate to present a unified proactive approach that will cost the organization far less than the total hard and soft cost from a data breach that has a value far beyond a policy and deductible.
Christopher Duffy is the Vice President of Professional Services for Strategic BCP. Christopher is known as a thought leader and industry evangelist within Business Continuity Management. Chris is a former CIO and security speaker. Today Chris focuses on building value with customers ensuring compliance and resiliency.