Leaders: Ask Yourself These Questions to Assess Your Cybersecurity Risk

March 25, 2021 · Read Time: 4 Minutes

 

Another day, another data breach. We saw several major data breaches during the first month of 2021 alone. For example, a database maintained by an online photo editing app containing 1.9 million user records was hacked on January 20, while order information for 7 million customers of a men’s clothing retailer was hacked on January 22 and posted on a hacker forum where anyone could obtain it.

The Cost of a Data Breach

A study conducted by IBM last year, The 2020 Cost of a Data Breach Report, put a price tag on data breaches. According to the study, the average cost of a data breach is $3.86 million. Also, 80 percent of data breaches resulted in the exposure of customers’ personally identifiable information, which is the most expensive type of breach to remedy.

Stolen or compromised employee credentials and cloud misconfigurations are the most common causes of data breaches, with 40 percent of breaches caused by these incidences. Misconfigured cloud networks increased data breach costs by half-a-million dollars, according to the study.

Cybersecurity Starts at the Top

Statistics like these make it clear that cybersecurity should be an important part of every organization’s operating plan. Ensuring a well-protected network starts at the top.

Here are five key cybersecurity questions that leadership cannot afford to ignore.

Question #1: Is your executive leadership informed about cyber risks that threaten the company?

Cybersecurity is about managing risk. A breach can have dire consequences, which makes managing cybersecurity risk a critical part of an organization’s governance, risk management and business continuity framework. Early response actions can limit or even prevent possible damage. Accordingly, timely reporting to leadership should be built into the strategic framework for managing the enterprise. The CEO, CIO, business leaders, continuity planners, system operators, general counsel and public affairs should be part of the chain of communications.

Question #2: What is our exposure to cyber risk, the potential impact of a breach and our plan for addressing both?

Identifying critical assets and associated impacts from cyber threats is critical to understanding your specific risk exposure, whether financial, competitive, reputational or regulatory. Risk assessment results are key to identifying and prioritizing specific protective measures, allocating resources, informing long-term investments and developing policies and strategies to manage cyber risks at an acceptable level.

Question #3: How does our cybersecurity program apply industry standards and best practices?

A comprehensive cybersecurity program leverages industry standards and best practices to protect systems, detect potential problems and enable timely response and recovery. Compliance requirements help to establish a good cybersecurity baseline to address known vulnerabilities, but they do not adequately address new and dynamic threats or sophisticated adversaries. Using a risk-based approach to apply cybersecurity standards and practices allows for more comprehensive and cost-effective management of cyber risks than compliance activities alone.

Question #4: How many cyber incidents is normal for us? At what point should executive leadership be informed?

Executive engagement in defining the risk strategy and levels of acceptable cyber risk enables close alignment with the business needs of the organization. Regular communication between leaders and those held accountable for managing cyber risks provides awareness of current threats, security gaps and associated business impact. Analyzing, aggregating and integrating risk data from various sources and participating in threat information sharing with partners helps organizations identify and respond to incidents quickly and ensure that protective efforts are commensurate with risk.

A good way to establish updated security protocols is to have an assessment of your network. This can show you where you stand and provide insights to a solid plan of action.

Question #5: How comprehensive is our cyber incident response plan? How often is it tested?

Even a well-defended organization will experience a cyber incident at some point. When network defenses are penetrated, the leadership group should be prepared with a Plan B. Documented cyber incident response plans that are exercised regularly help enable timely response and minimize impacts.

Devise a Cybersecurity Plan Now

When it comes to cybercrime and data breaches, it’s not a question of if, but when. So now is the time to devise a plan for how your organization will deal with a data breach when one occurs.

Plan now to meet with your key leaders to discuss these and other critical cybersecurity questions. If you don’t have adequate answers to them now, commit to doing whatever it takes to get answers before your organization is the victim of a data breach.

 


With increased reliance on technology and remote working arrangements, many former procedures may no longer adequately protect your company against risk of data breach or potential fraud. Curious to know how you can strengthen your internal controls and business policies? Contact us to learn more about our risk management services.

 

Best Practices

New Pay Stub Requirements Go Into Effect October 1

Mergers & Acquisitions

Remaining Independent Amidst Accounting Firm Acquisitions

Best Practices

Six Reasons to Perform a Business Valuation