7 Cybercrime Facts Executives Need to Know

The bad guys are getting smarter. Whether they are terrorists who realize another way to hurt the world and advance their agenda is to destabilize the economies of developed nations, especially leaders like the USA, disgruntled insiders, or "ordinary" criminals with a predominant profit motive, cyber crimes are increasing and becoming more costly. In information technology security circles, there is some buzz about a July 2010 Cost of Cyber Crime Benchmark Study of a representative sampling of U.S. companies conducted by the Ponemon Institute. This organization conducts independent research on privacy, data protection, and information security policy.

By Jon Murphy
Wed, January 12, 2011

CSO — The bad guys are getting smarter. Whether they are terrorists who realize another way to hurt the world and advance their agenda is to destabilize the economies of developed nations, especially leaders like the USA, disgruntled insiders, or "ordinary" criminals with a predominant profit motive, cyber crimes are increasing and becoming more costly. In information technology security circles, there is some buzz about a July 2010 Cost of Cyber Crime Benchmark Study of a representative sampling of U.S. companies conducted by the Ponemon Institute. This organization conducts independent research on privacy, data protection, and information security policy.

Slideshow: Quiz: Separate Cyber Security Fact From Fiction

The point that the Institute is seemingly trying to make with their representative study is that Enterprise Risk Management (ERM), especially as it relates to IT, needs to ramp up; companies are getting lax again/still and re-assuming an attitude of "it" (i.e.: bad things) won't happen to them. The 23-page Ponemon Institute report is available online at their website but, here is a high-level, seven-point summary and my input of how the information may relate to your company's situation.

See also: Report: CISOs keep breach costs lower

Cyber crimes are far more costly than taking steps to harden an environment beforehand

The study reports that the average for response costs for companies that were impacted was $3.8 million per year. The cost of the technologies and processes that could have effectively mitigated or prevented the same incidents, were generally less than 1/3 the cost. In other words, and rather obviously -- pre-planning and mitigation is a heck of a lot cheaper, in most cases, than merely reacting with an ad hoc response after an incident/breach.

Even more importantly, the appointment of a single top executive responsible for enterprise risk management, a la a Chief Security Officer, or better still, a Chief Risk Officer is a critical factor for success. Often autonomously reporting straight to the board of directors and with a true enterprise-wide view, not just technology centric, this executive can appropriately ensure that risk management is "baked in" at the start of projects and programs, rather than merely "bolted on" haphazardly as an afterthought. Also, merely relegating IT security and risk management to some "underling" as one facet of a job in some other line department is a quick recipe for big trouble.

Additionally, the creation and rollout of an ERM strategy and adherence to a voluntary governance/certification framework (such as ITIL / NIST, etc.) appear to both, substantially lessen the chance of occurrence and the total cost of a dealing with a cyber crime incident.

Continue Reading

Originally published on www.csoonline.com. Click here to read the original story.
Our Commenting Policies