Despite highly publicized data breaches at companies such as Citigroup and Sony, most businesses remain woefully underprepared to deal with cybercrimes and other IT-related risks.
“I don’t know a single company that has mapped out all the jurisdictions where it does business, what the cybercrime laws are there, and the proper points of contact” should an incident occur, says Jody Westby, CEO of consultancy Global Cyber Risk.
A recent survey by Carnegie Mellon CyLab found that only a third of Fortune 1000 boards had focused on guarding against the most critical privacy and security risks, which today typically stem from breaches of a company’s IT system.
Companies often seek to bolster security by investing in the newest technology, says Chris Novak, managing principal of Verizon’s investigative response unit. While that’s important, “a lot of companies are missing the core elements of security,” Novak says.
The impact and cost of data breaches often do not correlate directly to their size, Novak adds. “We often find the bigger impact stems from how a firm manages its response.”
Measuring the risks in how people and processes come into play following a breach tends to be the “big struggle,” he says.
One essential is having a response team with expertise from across the company, including a senior executive with access to the CEO and CFO, as well as representatives from IT and legal and compliance, Novak says.
Westby recommends drills at least twice a year to train for breaches of different severity levels. Some breaches may be handled well below the C-suite, while others may require the CFO to reach out to investors and the CEO to make a public statement.
And it’s wise to have a relationship with a crisis communications firm, Westby says. “Don’t think your regular PR function is going to make all the right decisions.”
Nevertheless, companies’ awareness of cyber risks, including data theft and attacks aimed at extracting proprietary information, is growing.
“Our clients, at every level and in every industry, are coming to us and talking about options in terms of risk identification and risk transfer for those type of events,” says Robert Parisi, national practice leader for cyber and privacy at insurance brokerage Marsh.
Roughly a quarter of Marsh’s corporate clients have signed up for policies covering cyber and privacy-breach incidents, almost double the percentage a few years ago, Parisi says. He expects that growth to continue.
For a look at how cybercriminals target online banking, see Beware Online Banking Thieves.
The increasing number of cyberattacks is leading to calls for more corporate disclosure of such incidents. Read about it in Coming Clean on Breaches.