7 cyber crime facts executives need to know

What is your organization's attitude about your security program? Jon Murphy details how a recent report reveals too many still have their head in the sand when it comes to risk management

. What's this?

By Jon Murphy

January 12, 2011CSO

The bad guys are getting smarter. Whether they are terrorists who realize another way to hurt the world and advance their agenda is to destabilize the economies of developed nations, especially leaders like the USA, disgruntled insiders, or "ordinary" criminals with a predominant profit motive, cyber crimes are increasing and becoming more costly. In information technology security circles, there is some buzz about a July 2010 Cost of Cyber Crime Benchmark Study of a representative sampling of U.S. companies conducted by the Ponemon Institute. This organization conducts independent research on privacy, data protection, and information security policy.

The point that the Institute is seemingly trying to make with their representative study is that Enterprise Risk Management (ERM), especially as it relates to IT, needs to ramp up; companies are getting lax again/still and re-assuming an attitude of "it" (i.e.: bad things) won't happen to them. The 23-page Ponemon Institute report is available online at their website but, here is a high-level, seven-point summary and my input of how the information may relate to your company's situation.

See also: Report: CISOs keep breach costs lower

Cyber crimes are far more costly than taking steps to harden an environment beforehand
The study reports that the average for response costs for companies that were impacted was $3.8 million per year. The cost of the technologies and processes that could have effectively mitigated or prevented the same incidents, were generally less than 1/3 the cost. In other words, and rather obviously — pre-planning and mitigation is a heck of a lot cheaper, in most cases, than merely reacting with an ad hoc response after an incident/breach.

Even more importantly, the appointment of a single top executive responsible for enterprise risk management, a la a Chief Security Officer, or better still, a Chief Risk Officer is a critical factor for success. Often autonomously reporting straight to the board of directors and with a true enterprise-wide view, not just technology centric, this executive can appropriately ensure that risk management is "baked in" at the start of projects and programs, rather than merely "bolted on" haphazardly as an afterthought. Also, merely relegating IT security and risk management to some "underling" as one facet of a job in some other line department is a quick recipe for big trouble.

Additionally, the creation and rollout of an ERM strategy and adherence to a voluntary governance/certification framework (such as ITIL / NIST, etc.) appear to both, substantially lessen the chance of occurrence and the total cost of a dealing with a cyber crime incident.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER