According to a recent study, data breaches cost US companies an average of $8.64 million last year. The average time it takes to identify and contain a breach is 280 days. That’s a huge chunk of time devoted to damage control for what is most often a preventable crisis—and there are other crises to deal with.
Here are five key questions CIOs can use to gauge their cybersecurity risk level.
Question 1: Is your executive leadership informed about your cybersecurity risk level?
Cybersecurity is about managing risk. A breach can have dire consequences, which makes managing cybersecurity risk a critical part of an organization’s governance, risk management and business continuity framework. Early response actions can limit or even prevent possible damage. Accordingly, timely reporting to leadership should be built in to the strategic framework for managing the enterprise. The CEO, CIO, business leaders, continuity planners, system operators, general counsel and public affairs should be part of the chain of communications.
Question 2: What is our exposure to cyber risk, the potential impact of a breach and our plan for addressing both?
Identifying critical assets and associated impacts from cyber threats is critical to understanding your specific risk exposure, whether financial, competitive, reputational or regulatory. Risk assessment results are key to identifying and prioritizing specific protective measures, allocating resources, informing long-term investments and developing policies and strategies to manage cyber risks to an acceptable level.
Question 3: How does our cybersecurity program apply industry standards and best practices?
A comprehensive cybersecurity program leverages industry standards and best practices to protect systems, detect potential problems and enable timely response and recovery. Compliance requirements help to establish a good cybersecurity baseline to address known vulnerabilities, but do not adequately address new and dynamic threats, or address sophisticated adversaries. Using a risk-based approach to apply cybersecurity standards and practices allows for more comprehensive and cost-effective management of cyber risks than compliance activities alone.
Question 4: How many cyber incidents is normal for us? At what point is executive leadership informed?
Executive engagement in defining the risk strategy and levels of acceptable cyber risk enables close alignment with the business needs of the organization. Regular communication between leaders and those held accountable for managing cyber risks provides awareness of current threats, security gaps and associated business impact. Analyzing, aggregating and integrating risk data from various sources and participating in threat information sharing with partners helps organizations identify and respond to incidents quickly and ensure protective efforts are commensurate with risk.
A good way to establish updated security protocols is to have an assessment of your network. An IT Risk Assessment can show you where you stand and provide insights to a solid plan of action.
Question 5: How comprehensive is our cyber incident response plan? How often is it tested?
Even a well-defended organization will experience a cyber incident at some point. When network defenses are penetrated, the leadership group should be prepared with a Plan B. Documented cyber incident response plans that are exercised regularly help to enable timely response and minimize impacts.
How does your organization’s cybersecurity program measure up? An easy way to find out is through our IT Risk Assessment. For $1,000, we can get you started on a path to a more secure network.
Interested? Learn more or contact us today.