The Impact of BCP on the Cost of Data Breaches
Integrated Cybersecurity Risk Management
The operational, financial, legal and reputational consequences of an information security breach can be so profound that CEO’s and Boards of Directors are becoming directly involved in approving and funding an enterprise approach to cyber security - as strategic elements of the organization’s governance, compliance and risk management framework.
Markets may penalize unprepared companies and poor responses more severely than they punish organizations for the breach itself. The goal should be to mitigate as much risk as possible, minimize impact, and prepare to respond to what essentially is the inevitability of disruptive cyber events, so the company can recover its data and essential functions, assure markets and stakeholders, and repair reputational damage. This requires organizations to recognize that cybersecurity is not a “technical” issue, but a compelling and complex enterprise risk management issue that requires integrated coordination - optimally at the chief risk officer level - addressing elements of prevention/mitigation, preparedness, detection, response, and recovery.
Elements of a sound information security strategy include a sound security and risk management governance model; policy development; training and cultural awareness; human resource protocols; well-exercised cyber incident response plans aligned with data classifications; the right insurance; a solid business continuity and IT disaster recovery plan; expert resources in forensics, litigation support, crisis communications, and reputation recovery; and, of course, an effective portfolio of prevention, detection, and warning systems built into the technical infrastructure.