First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

New report on the cost of a cyber breach

cyber breach

In Making Business Sense of Technology Risk, I refer to studies conducted by the Ponemon Institute and sponsored by IBM Security.

Their latest Cost of a Data Breach Report again has some useful information.

You may be surprised to hear that the average cost of a data breach is just $3.9 million. That sounds far different than indicated by the alarm bells screaming at you from all sides. Healthcare costs are typically much higher than average. They are where the ‘megabreaches’ have typically occurred, although large companies in financial services and retail have also suffered huge public disasters.

Does it make sense to invest tens of millions of dollars or more when the average cost is relatively low?

That’s one of the issues tackled in the book. For a start, while the cost may appear low, the disruption to the business and its impact on customers and partners may be much more significant. A small out-of-pocket cost may hide the fact that significant enterprise objectives will now be much harder to achieve.

Another challenge is that resources to invest are limited. How does the leadership of an organization decide whether to invest in cyber, a new marketing campaign, an upgraded product offering, or to reduce supply chain risk?

Another factoid in the report is that despite advances in detection, the average time to identify and contain a breach remains unacceptably high: 279 days. In addition, a breach can have significant effects that last two years or more.

One of the problems with studies and discussions around cyber is that this is only one of several sources of risk to enterprise objectives. To understand the likelihood of achieving a business objective, you need to consider all related sources of risk.

Unfortunately, neither COSO nor ISO (nor anybody else to my knowledge) has provided practical guidance on this challenge of aggregating disparate sources of risk to a single objective, nor shown us how to weigh that aggregate against the upside.

Maybe that will come. In the meantime, perhaps my book will help.

I welcome your thoughts and comments.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.