By Stuart R. Levine
Published In, The Credit Union Times

Are your board and senior leadership adequately protecting your organization’s most valuable assets including your data and intellectual property?  Board oversight, senior management leadership and a culture of engagement will go a long way to address this serious problem.  When a mindset of data protection permeates organizational culture, ensuring a robust cybersecurity environment is not viewed as just an IT problem; it is a priority for everyone.

With the continuing transformation to a knowledge-based economy, IP and other intangibles can comprise the great majority of a company’s value.  Ocean Tomo, a merchant bank specializing in IP, currently estimates that intangible assets represent 84% of the value of the S&P 500.

Cybersecurity is a serious issue because so much economic growth is information related. According to estimates by McKinsey Global Institute, over the next five to seven years, $9 to $21 trillion of global economic-value creation will be information related.  This would represent an increase of 10 to 20 percent over current global GDP levels.

Here are some impactful statistics to digest:

  • Juniper Research, a UK based digital market specialist, reported that data breaches are expected to cost half a trillion dollars globally in 2015 and are projected to grow to $2.1 trillion globally by 2019.
  • Identity Theft Resource Center said that the number of data breaches in 2015 are on pace to break records with 117.5 million records confirmed to be at risk, combined with an 85% increase in banking sector breaches this year.
  • Health insurer Anthem’s February 2015 breach compromised about 80 million records and cost over $100 million.
  • The U.S. Office of Personnel Management’s (OPM) 2015 attack affected about 25 million employees.  OPM and the Department of Defense awarded a $133 million contract to notify the victims, including NCUA employees.
  • Sony Pictures spent more than $100 million on its 2014 cyber-attack. The studio was brought to a virtual standstill for weeks as embarrassing emails, trade secrets and more were exposed.

Boards and senior management must have a holistic view — working to protect all forms of data and intellectual property.  This is essential in any modern ERM program.  In their oversight role, directors must assure that management establishes an enterprise-wide cyber-risk management framework with adequate staffing and budget.  Because total data protection is an impracticable goal, management must identify and prioritize those risks to avoid, accept, mitigate or lay-off through insurance.

Pamela Gupta, CEO of Out Secure Inc., which provides security strategy to multi-national corporations, advises:  “Security strategy begins with identifying the highest value information targets — those assets that, if compromised, would cause the greatest harm to the organization.  Next, management needs to prioritize information assets by business risk and allocate resources accordingly.  Levels and costs of preparedness correspond with the risk the organization can appropriately take. Today, every decision concerning technology needs to be informed by an awareness of related vulnerabilities.  All software and hardware, social networking applications and other internet related tools must all be viewed through a lens of security.”

As with most organizational initiatives, cyber-security must be driven from the top and must diffuse throughout the organization.  An ERM plan for data protection alone is not enough.

After the C-suite produces the data protection strategy, management must clearly and consistently communicate it across the organizational structure to all levels.  A strong communications program should be designed to heighten the urgency to address overall cyber-risk to complement strong technological security.  The organization’s commitment to security must translate into specific policies and procedures that employees learn and follow.  The greatest vulnerabilities often come from everyday use of e-mail and the internet, such as inadvertently unsafe activity on social networking sites.  Employee inattentiveness, not malicious behavior, usually causes the problem.  Thus, training should target behavior that undermines security.  Data security should become part of the company’s culture to protect the organization’s brand and reputation.

Budgets and timetables must reflect the integration of security requirements into any project plan.  Ms. Gupta advises that the security team becomes engaged at the outset of a project, not as an afterthought.  This approach delivers a much greater ROI for security monies utilized.  She explains: “Retrofitting security is expensive and monies used in reaction to a security breach can be expected to be 10 times as great as the cost of prevention.”

Regardless of your organization’s industry or size, protecting information assets in the smartest way is increasingly critical and essential.  Your board’s oversight, management’s leadership and your employees’ engagement will make the difference.