Richard Long, Senior Advisory Consultant, MHA Consulting
For Business Continuity planners, data security has become a high priority element of the program. Audits have pushed this to the top of the priority list for many organizations. Even with all the data breaches over the past several years, many organizations are not prepared to react to a data breach. We have seen the entire continuum – from highly prepared for a breach (with formal plans, regular exercises, and technologies in place to prevent breaches) to a strategy of hope – we hope it does not occur.
Every security expert with whom we have worked says it is not if, but when, an organization will have some type of data exposure or cyber event. The cost of these breaches has grown year over year. A 2015 study by IBM and the Ponemon Institute calculated the average cost to organizations (350 companies in the survey) to be 3.79 million dollars. This is an average of $154 per record lost or stolen. Depending on the industry the cost can vary, with the public sector at $68 and retail at $165.
Organizations must make planning for and preventing data breaches an ongoing activity. It should be noted that a basic security penetrating code can be purchased for a little as 10–15 dollars on the web. These codes are not sophisticated, but the ease of access should cause everyone to pause.
Your planning should include the following:
- Does your organization have or need cyber insurance?
- What is your response plan in the event of a cyber event?
- What is your communication plan?
- Social Media
- Can you afford to shut down your online presence, your online commerce, or access?
- For how long?
- Are there portions that can be shutdown, still allowing critical or limited access?
- Is there a decision point for shutting down access?
These should be identified in advance to allow the Crisis Management Team to make decisions quickly.
Cyber event planning is both a business and IT endeavor. As it relates to data breach or cyber event planning, hope is not a strategy.