New data from the major security technology companies confirms this premise. According to Symantec, over half a billion personal records were stolen or lost in 2015. Attackers continue to bypass conventional security tools, breaching the clear majority of security architectures. The result is a persistent menace—a barrage of digital invaders focused at times on surveillance, but more frequently on damaging and stealing sensitive data. The proliferation of the “Internet of Things” makes corporate security and business continuity planning an even harder road to hoe.
According to Symantec, over half a billion personal records were stolen or lost in 2015.
Most security solutions are network oriented. Because of the subtle nature of today’s attacks, and because of the unprecedented levels of network data monitored and stored by companies, big data is also beginning to play a role in cybersecurity. By analyzing longer-term patterns and larger sets of data, many companies have improved breach detection and response times. But can these tools alone truly protect corporate assets, trade secrets, brand reputation, and ongoing operations?
I recently moderated a cybersecurity panel in Fort Worth, Texas co-sponsored by the Chamber of Commerce and Bridge Partners. A former senior ranking Department of Defense security analyst told the audience that most companies can take up to 18 months to detect a breach. That does not necessarily mean that data is stolen or assets are damaged during that period. But it does mean that breach detection is often non-existent for extended periods of time. This gives attackers an almost infinite amount of “cyber time” to penetrate an environment and covertly traverse the network, looking for ways to cause harm or capture assets to be ransomed.
Without a fool-proof approach to preventing, detecting, and responding to security breaches, how should the modern enterprise respond? Executive management and boards of directors should seek to understand their overall enterprise risk. This means single-mindedly asking some tough questions about cybersecurity governance and risk management, including:
Given the ubiquitous and uncertain nature of cyber threats, the answers to these questions can be elusive even for the most well-equipped executive teams and boards of directors. Most organizations lack a proactive, cohesive plan for addressing the financial and operational uncertainties that accompany a significant breach—an event that is practically inevitable.
For executives to meet their fiduciary responsibility to shareholders, they must develop and execute a comprehensive strategy that considers financial, data security, infrastructure, and compliance requirements. The most effective approach is a governance and internal compliance methodology that matches the statutory rigor of Sarbanes Oxley. Such an approach requires organizational commitment to automated detection, periodic audits, reporting accuracy, incident management, and role requirements for business and IT departments. It also requires statistical modelling that incorporates actuarial data that can help identify and prioritize the assets that are most exposed and present the greatest risk. Anything less will fall short of properly protecting critical corporate assets.
There are many digital access pathways into corporate systems. Enterprise data is managed and administered inside company firewalls and across ecosystems. This includes data such as:
These types of data (and many more) are sacred. Leaders who fail to address cyber threats not only jeopardize their careers, but the long-term viability of their companies.
Money is a finite resource for any company. Knowledge capital is not. It is imperative that business leaders apply the resources at their disposal in a thoughtful, prioritized manner to fend off cyber threats and mitigate negative outcomes.