Organizations’ have a 30% chance of suffering a cybersecurity breach within a span of two years. Over a longer period, the probability of a breach is 100%. Credit rating agency Equifax discovered this in July when it lost 143 million records. This is a company that was looking to grow its business with fraud prevention and identity management.
High costs of cybersecurity breaches
Wherever breaches happen, the biggest consequence of a cybersecurity breach is the loss of business. According to a study by Ponemon Institute, these losses are rising and have been over the past five years. In the US, just the business cost of a cybersecurity breach rose more than 32% during that period to almost $4 million. The average total cost of a cybersecurity breach in the US was even higher at $7 million, whereas the average global cost is $3.62 million. Costs in the US were the highest in the world. In the US the costs are growing, but that is not true everywhere.
The costs of a breach are increasing in places such as the Middle East and Japan. Meanwhile, in most of Europe, including Germany, France, and the UK, the costs went down. Whatever the trends in costs, the most effective method of lowering them was the same all over the world: Implement a data governance program (GRC: governance, risk management, compliance), such as ISO 27001, that features a robust incident response plan, employee training, and business continuity management.
Cybersecurity legal requirements and regulations
Legal requirement for a cybersecurity program may be one of the reasons why in Europe the costs of cybersecurity breaches decreased. Unlike the US, Japan, and the Middle East, Europe has a comprehensive model that governs cybersecurity and privacy. Although the General Data Protection Regulation (GDPR) gets more attention – probably because of the potentially enormous fines – Europe has had the Data Protection Directive (DPD) since 1998. Japan and the US have a sectoral model, where specific sectors, most notably finance and health care, have specific regulations. Neither the DPD nor its progeny, the GDPR, have such limitations. So all companies operating within the EU have to maintain a higher level of cybersecurity.
Although the US is behind in its regulatory regime, it is catching up fast. The new New York Department of Financial Services (NYDFS) regulation 500 mandates that organizations “maintain a cybersecurity program designed to protect the confidentiality, integrity and availability […] implementation of policies and procedures […] detect Cybersecurity Events […] respond to identified or detected Cybersecurity Events to mitigate any negative effects […] recover from Cybersecurity Events and restore normal operations and services.” (23 NYCRR 500.02.) But it is not just the state of New York that is requiring programs designed to lower the impact of a breach. Other states have passed similar laws.
Delaware is a small state, but its corporate code means it is the legal home of many of the US’s largest corporations. In July 2017, the state passed new laws that require businesses that maintain personal information to “implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.” (75 Del. Laws, c. 61, § 1.)
Although not as specific as the GDPR or the NYDFS regulations, the Delaware law does mandate a cybersecurity program with adequate practices and procedures such as ISO 27001. Because of the patchwork nature of US laws and the regulation, it is the only way to ensure compliance.
Most businesses may believe that the heavy hand of government regulation is the incentive to institute a cybersecurity framework. It isn’t. As these studies show – and as Equifax just found out – the biggest impact of a breach is neither fines nor lawsuits: it will be on your business. Compliance with building codes is not about fines, but about having a house.
Protecting your business and brand
Cybersecurity programs such as ISO 27001 are not an ancillary support aspect of the IT department. They need to be part of your core competency. They are a key component of stockholder value. They should be an integral aspect of your brand. Part of the Equifax brand was that its “Role as a Trusted Steward is a Key Execution Enabler.” Not a very attractive offer now.
By establishing cyber risk management, you can help mitigate breaches. The international standard ISO 27001 sets out a best-practice approach to cyber risk management encompassing people, processes, and technology, ISO 27001’s approach to cybersecurity is designed around the results of regular risk assessments, so organizations can mitigate cyber risks in a cost-effective and efficient way. Find out more about ISO 27001 >>