Putting cyber risk into business perspective

I am in the process of writing a new book. It is intended as guidance for senior management and board members on decision-making when it comes to cyber risk.

I see a gap in their understanding of the level of business risk, and that creates problems when it comes to deciding how much of their organization’s scarce resources (people and money) should be invested in preventing or minimizing the effects of a data breach.

I believe they tend to respond to risk assessments by the CISO or others in the management team that label the level of risk as “high”, but do not describe the potential effects on the business and its success, nor the likelihoods of such major impacts.

They also respond to media headlines and the advice of consultants who may not fully understand the business and are not really objective.

Money, as we know, does not grow on trees.

Every penny spent on cyber risk is a penny that is not spent addressing other sources of business risk and opportunity, such as supply chain risk, competitor risk, new or upgraded technologies, marketing programs, customer service, and so on.

As I was doing my research, I reviewed a 2021 study by PCH Technologies, Cost of Cyber Attacks vs. Cost of Cyber Security in 2021. They reported that these four breaches were among the most severe in 2020 and 2021.

I added a note to the PCH language for each of the four that puts the scale of the breach into business perspective.

4. On May 6, 2021, the Colonial Pipeline was hacked, and the ransom paid by the company was reported as $5 million.
   
   Note: this was 1% of Colonial Pipeline’s 2021 revenue of $500 million.

IBM has sponsored independent studies by the independent research organization Ponemon Institute of the cost of a data breach for 17 years. Their latest, Cost of a Data Breach 2022, “studied 550 organizations impacted by data breaches that occurred between March 2021 and March 2022. The breaches occurred across 17 countries and regions and in 17 different industries.”

Their insights included:

• The average total cost of a data breach was $4.35 million ($9.44 million in the US); the average cost of a ransomware attack was slightly more, at $4.54 million.
  
• 83% of organizations that had a breach had more than one incident.
  
• The average time to identify and contain a breach was 277 days. This is a reduction from the 287 days in 2021.

In general, costs are increasing – but that is not universal. Six countries (Germany, Japan, France, South Korea, Scandinavia, and Turkey) saw a year-on-year decrease.

When you look at the cost of a breach by industry, Healthcare suffered the highest average cost, at $10.10 million, with Financial Services next at $5.97 million.

My questions to all of you:

1. How significant is cyber risk at your organization. Is it really a top ten source of risk to the business and its objectives?
   
2. Are management and the board of your organization able to compare the level of risk to other sources of business risk and opportunity, so they can make informed and intelligent decisions about how much to invest?
   
3. How confident are you that your organization is obtaining an acceptable return on its investment in addressing cyber risk, given the alternative returns on other investments?
   
4. How confident are you that management understands the dynamic nature of cyber risk (and most other sources of risk to the business)? It is changing constantly.

• About
• Latest Posts

Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Latest posts by Norman D. Marks, CPA, CRMA (see all)

• The risk is assessed as high. So what? - March 15, 2023
• Putting cyber risk into business perspective - February 15, 2023
• Twitter and risk - January 18, 2023