Cost of cyber attacks

Wednesday, April 28, 2010 @ 05:04 PM gHale


With the potential for security breaches reaching new heights every day, chief financial officers should develop a budget that calculates the gross monetary risk a security intrusion could pose on their organization, according to a report from a U.S. standards body and a security trade association.
The 76-page guide comes in response to a 60-day White House review last year of the nation’s cybersecurity infrastructure that found quantifying the value of protection motivates organizations to address vulnerabilities.
The American National Standards Institute (ANSI) and the Internet Security Alliance, a nonprofit electronic industry group affiliated with Carnegie Mellon University wrote the document, which assigns dollar figures to information losses. It also advises CFOs on the financial management of cyber risk.


The instructions apply to federal and corporate CFOs, said Karen Hughes, ANSI’s director of homeland security standards.
“The overarching message this document puts forward is that the single biggest threat to cybersecurity is misunderstanding,” she said. “CFOs from the public and private sectors alike must look at cybersecurity as an enterprise- [and] agency-wide issue and not just an IT issue, to ultimately reduce vulnerabilities to cyberattacks and their financial implications.”
The handbook goes under the premise that companies today, most of which depend on the Internet to survive, have relegated data security to an isolated, and often underfunded, unit.
The publication estimates a data breach of 10,000 records containing personal identification information would cost about $1.6 million, assuming the company carried breach insurance with an 80% coverage of direct costs. That sum includes direct expenses for investigations and forensics, consulting services, notification of affected individuals, public relations, legal defense, and credit and identity monitoring, as well as the indirect cost of lost business. The handbook cites several analytical models to help assess costs and benefits.
Steps to bolster protection also include learning to view digital safety as a business strategy rather than as an operational responsibility and leading a cyber risk team of appropriate subordinates across the organization. This team should meet in person, if possible, according to the publication, because face-to-face interactions can prevent the confusion that often occurs when separate business units speak in jargon.
“This excellent guide for the C-suite puts forth the right questions to help organizations be proactive in managing their risk and exposure that is derived from their digital dependence,” said Melissa Hathaway, who conducted the White House review as the former acting senior director for cyberspace at the National Security Council.



Leave a Reply

You must be logged in to post a comment.