Despite growing awareness of how devastating a cyber attack could be, many businesses still have not implemented security measures, which risks putting them in a group of corporations that have already lost a trillion dollars in stolen intellectual property, said panelists at a news conference on the release of a report highlighting financial management of cyber risk.
Held yesterday at the National Press Club, the discussion focused on the release of “The Financial Management of Cyber Risk: An Implementation Framework for CFOs,” which has been developed by more than 60 technical experts from industry, government and academia, and spearheaded by the Internet Security Alliance and the American National Standards Institute.
Karen Hughes, ANSI’s director of homeland security and one of the speakers, said there has been a severe misunderstanding that cybersecurity is solely an IT problem when the issue involves entire corporations, including CFOS, CSOs and CEOs.
“There is no one department that can tackle this alone,” she said.
Citing a White House cyberspace report from 2008 and 2009, ISA President Larry Clinton said U.S. companies have lost more than a trillion dollars of intellectual property to cyber attacks, and that is not counting losses from theft of personally identifiable information, system inefficiency and downtime, loss of customers or negative impacts on corporate share values
According to Symantec, the number of new cyber threats to the Internet soared to nearly 500 percent between 2006 and 2007, and more than doubled between 2007 and 2008, which is a 1,000 percent increase in new threats to corporate Internet users in just two years.
Symantec Chief Information Security Officer Justin Somaini said cyber attacks mostly involve Trojans that try accessing personal information and attacking critical infrastructure maintained by financial institutions.
Paradoxically, while there has been an increase in cyber attacks, the number of U.S. corporations that invest in cybersecurity measures has declined, Clinton said.
“Why? It comes down to one core fact: People don’t think it’s their responsibility to secure their own data,” Clinton said, adding it is always the IT department’s responsibility when cybersecurity should be a cross-organizational effort.
Another reason to why corporations are not investing in improved security measures is the lack of knowledge about cybersecurity within the current private-sector workforce
“For the most part, the people in this group (especially senior executives) are what demographers are now calling ‘digital immigrants’ – they were not born into today’s digital world and may face ‘language barriers’ when it comes to the rhetoric of information security,” the report states.
However, one of the solutions would entail switching the language from a technical conversation to a fiscal one, which would make more CFOs and CEOs comprehend the benefits of adopting cybersecurity measures, Somaini said.
For businesses wanting to implement cybersecurity measures, the ANSI-ISA report recommends six steps to help speed up the process.
1. Understand the true role of technology and what steps need to be taken to manage risk appropriately.
2. Appoint a Cyber Risk Team that can address cybersecurity from a strategic perspective.
3. Meet regularly with the Cyber Risk Team, whether it is face-to-face or via video- or teleconferences.
4. Create and adopt a department-wide cyber-risk management plan to determine which actions and roles, either existing or new, are to be allocated to each functional area.
5. Create and implement a budget for cyber risk to get an overview of a potential financial impact of a cybersecurity breach.
6. Implement, analyze, test and feedback to be up-to-date and prevent new breaches.