The immortal words of Ben Franklin have become axiomatic for companies dealing with today’s ever expanding array of cyber threats. Franklin used the phrase in a letter that was published in the Pennsylvania Gazette urging better fire fighting practices. It’s likely he’d be content to see the wisdom he was passing along applied to best practices in cybersecurity.
Obviously, prevention has to be at the forefront of actions taken to lessen the risks posed by cyber threats. But it behooves us to be clear-eyed about precisely what our expectations should be with regard to prevention. There is growing recognition that preventing data breaches is a bit of a Sisyphean task. The reality is breaches will occur.
In late 2014 The Ponemon Institute released a survey of 567 executives in the United States who were asked how prepared they think their companies are to respond to a data breach. Despite the increasing level of efforts being made in threat prevention, 60 percent of those surveyed said their company had been victimized by more than one data breach in the past two years.
In virtually every instance, when a data breach occurs the single biggest loss potential lies in the damage that can be done to the corporate reputation. According to a recent report from Deloitte, “almost 90 percent of executives surveyed by Forbes Insights in 2014 on behalf of Deloitte say that reputation risk is their key business challenge.”
One need look no further than the recent Sony debacle to understand the enormity of the risk to corporate reputation posed by breaches that expose truly sensitive information. Such key considerations as shareholder confidence, employee loyalty and customer retention are all imperiled by damage to corporate reputation.
Arguably, the greatest yield in prevention actions lies in effectively managing response to those data breaches that have the potential to become a crisis for the company. Investing in the planning and preparation needed to ensure a corporation is capable of effectively responding to a cyber breach that poses the threat of becoming a crisis is a critical need.
Taking steps to prevent a situation from escalating into a crisis that threatens the corporate reputation is worth several pounds of cure.
By Tom Davis, SDI Cyber Risk Practice
SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.
You can view previous blog posts on cyber risk management here.
February 24, 2015