What are some of the consequences if organisations don't prepare for coping with cyber threats?
I don't want to be a scaremonger, but the consequences are far reaching and potentially catastrophic.
Significant costs and loss of data are the primary issues. These are often intrinsically linked because typically loss of private, financial or medical data results in fines from a regulating body.
There is then the cost of responding to an incident. Typically an organisation must engage a suitably trained forensic team to investigate an incident. This can be a mammoth task in a large organisation that is not well prepared. There is also the cost of building defence capability and intrusion detection and prevention systems.
The bad publicity surrounding a data loss can damage an organisation's reputation. Organisations that rely on their online presence for revenue, such as web retailers, must also consider if they should take the site down during the remediation period and lose significant revenue, or keep the site live and run this risk of further breaches. Furthermore, regulating bodies may place strict controls around the organisation while it recovers and proves it is appropriately prepared for future events.
Is it difficult to show organisations a return on investment from protecting their data against cyber threats?
It can be a challenge, because like an insurance policy, you never see the value until you need it and you only suffer the consequences if you don't have it in place.
Even so, recent high-profile cyber security incidents have seen a shift of attitude in the boardroom: most organisations now accept IT security as an essential and not a business overhead.
It is very important to remember that IT security is not an investment for profit. Instead it is an investment that will over time justify the costs and pay for itself.
Responding to cybersecurity incidents can become extremely costly. For example, the 2013 Ponemon Cost of Cyber Crime study found that the average time to resolve a cyber attack was 32 days, with an average cost incurred during this period of $1,035,769, or US$32,469 per day.
A useful tool to analyse and demonstrate ROI can be a model such as the Ponemon Institute's Security Effectiveness Score (see for example http://www.ponemon.org/local/upload/file/2013%20Report%20GLOBAL%20CODB%20FINAL%205-2.pdf). This evaluates best-practice security principles and correlates each to the cost of not complying with these principles. In short, the weaker your security, the higher the cost.
Working with bodies such as IMPACT can also help you demonstrate the return on investment. IMPACT has the experience and exposure to demonstrate the good and the bad relating to protecting data against security threats.
Sign up for CIO Asia eNewsletters.