Does your company include “cyber” on the Board agenda every month?

Amicus ITS has long been an exponent of the merit of having an IT expert on a company Board.  Indeed ‘cyber’ has been on Amicus ITS’ own Board’s monthly agenda for the past 18 months.

As we continue to convey this good practice recommendation with our customers, this message is now being endorsed by HM Gov’s Treasury department in a direct appeal to the major UK banks.

As reported in The Sunday Times (240116), Andrew Tyrie, Treasury committee chairman and Tory MP for Chichester, wrote to the major financial institutions over the weekend demanding that they take urgent steps to thwart hacking and data theft.  “Bank IT systems don’t appear to be up to the job”, he said.  “Every few months we have yet another IT failure at a major bank.  These IT weaknesses are exposing millions of people to uncertainty, disruption and sometimes distress.  Businesses suffer too.  We can’t carry on like this”.

The remedy is no magic potion.  The Treasury MP is advocating hard investment in computer systems and that banks answer to a new group within the financial regulator, the Prudential Regulation Authority.

No banks are immune.  Barclays, HSBC, Lloyds and the UK tax payer’s own bank Royal Bank of Scotland (RBS) have all suffered outtages.  Most recently, HSBC suffered a two day failure in its online banking services in January 2016. This follows last August’s dropout when a glitch prevented salaries being paid ahead of the August Bank Holiday.  Other banking failures have included mortgage and pension payments. RBS which has experienced many problems was fined £56 million in 2015 for an IT glitch in 2012 that left millions of customers unable to access their accounts.

The Deputy Governor of the Bank of England, Andrew Bailey is expected to head up a new specialist IT unit within the Bank of England’s Prudential Regulation Authority to ‘ensure lendors are investing enough in their systems’.  We wait to see whether this specialist financial regulator post has the teeth and influence to create the necessary change and improvements required – and soon.  If our banking blog of 31st January 2014 is anything to go by, it could be a very long wait.  Could this MPs plea be one of hope more than expectation?

Irrespective of business sector, it is a timely reminder for companies not to put off updating infrastructures or reinforcing vital firewalls by holding on to unspent, shored up profits post recession.  In our technically challenging world, businesses cannot afford NOT to maintain and future-protect their IT systems, let alone ignore recommendations to invest in protecting against increasingly sophisticated and cynical cyber threats facing every organisation.
• 80% of cyber attacks in 2014 were preventable (source:   Ponemon Institute)
• Only 21% of companies say their Board gets comprehensive information about cyber threat*.
• Only 17% of Board members believe they have a full understanding of the risks*.

Action – do a cyber health check review of your company after today:

• Re-evaluate the crown jewels of YOUR organisation (key information and data assets)
• Review risk from 3rd party suppliers (get into active compliance).
• Be pro-active and transparent about risk – your customers will thank you.
• Arrange for a cyber threat ‘pen test’ and get in shape for 2016.

In the constantly evolving world of cyber security, the wise understand that there is no panacea against cyber attack, it is just a matter of when – however, those best armed against the enemy will be the ones best prepared for attack, understanding and prompt response.

IBM and Ponemon Institute count the true cost of data breaches

IBM in conjunction with US independent data protection and security organisation The Ponemon Institute have published that the per-record cost of a data breach reached $154 in 2015, up 12% from $145 in 2014.  Aggregated, this amounted to an average total cost of a single data breach of $3.79 million.  The survey reviewed 350 companies across 11 countries, each of which had suffered a breach.

Prior to this, technology and communications giant Verizon had estimated the per record cost to be a scant 54 cents. However Ponemon Institute Chairman Larry Ponemon noted this was based on a small sample of 191 reports from cyber insurance claims and represented only around 10% of the insurance coverage for the cost of the breach and ignored the indirect costs or loss of resulting business.

Target’s latest breach was estimated to cost the company over $1 billion, but it was only insured for $100 million. Ponemon added:  “Companies generally buy enough insurance to cover 50% of the value of their fixed assets, but only 12% of the value of their digital assets”.

Loss of business is a growing part of the total cost of a data breach, with an increased trend of customer churn, with reputation and goodwill adding up to $1.57 million per company cost (up from $1.33 million the previous year).

VP at IBM Security, Caleb Barlow commented:  “At a minimum, a company with a data breach has to send out letters notifying customers that they were breached pay for credit monitoring”.

Data breach costs reportedly varied substantially in different industries and geographies, with healthcare having the highest costs due to its long shelf life, at an average of $363 per record and the US with the highest per-record cost at $217, followed by Germany at $211, with India the lowest at $56 per record.

Healthcare records are especially valuable due to the volume of personal information, Social Security numbers and insurance details which can be used to create credit records or for identify fraud in 10-15 years.

Cyber breach cost reductions:
• Companies with incident response teams reduced the costs per record by $12.60 because of their ability to swiftly respond
• Using encryption reduced costs by $12.
• Employee training reduced costs by $8.
• If business continuity management personnel were part of the incident response team, costs fell by $7.10.
• CISO leadership lowered costs by $5.60
• Board involvement lowered costs by $5.50
• Cyber insurance lowered costs by $4.40.

Having an assured and well prepared management response has a definite impact on the bottom line cost of any cyber security breach.  As Caleb Barlow darkly warned:  “You don’t have days to respond.  You don’t even have hours. You have minutes to get your act together.”

Cyber breach cost increases:
• Bringing in outside consultants added $4.50 per record.
• Lost or stolen devices added $9 per record on average.
• Third party involvement as the cause of a breach increased the average per-record breach cost by $16 (from $154 to $170).

Factoring in time to respond to end cost proved significant too:
• Respondents took 256 days on average to spot a breach caused by a malicious attacker – and 82 days to contain it.
• Breaches caused by system glitches took 173 days to spot – and 60 days to contain.
• Human error breaches took an average of 158 days to notice – and 57 days to contain.

With cyber security a major thorn in the side of business and an increasingly sophisticated route to damaging trust and reputation, no organisation of any size can afford a) not to have reviewed the security of its estate and b) taken steps to develop relevant and up to date policies and measures to safeguard its digital assets – and share this regularly with the Board.

Additionally and crucially, as our Head of Technology & Governance, JP Norman reminds us, “The reputational and financial losses quoted are without the EU Data Directive changes on the way which will enable fines of up to 5% of global turnover. CIO’s need to ensure their boards are aware of the potential financial risks that are likely to be in place by late 2016”.

Ponemon