Seven cyber crime facts executives need to know

Cyber crimes are far more costly than taking steps to harden an environment beforehand

The study reports that the average for response costs for companies that were impacted was $3.8 million per year. The cost of the technologies and processes that could have effectively mitigated or prevented the same incidents, were generally less than 1/3 the cost. In other words, and rather obviously, pre-planning and mitigation is a heck of a lot cheaper, in most cases, than merely reacting with an ad hoc response after an incident/breach.

Even more importantly, the appointment of a single top executive responsible for enterprise risk management, a la a Chief Security Officer, or better still, a Chief Risk Officer is a critical factor for success. Often autonomously reporting straight to the board of directors and with a true enterprise-wide view, not just technology centric, this executive can appropriately ensure that risk management is "baked in" at the start of projects and programs, rather than merely "bolted on" haphazardly as an afterthought. Also, merely relegating IT security and risk management to some "underling" as one facet of a job in some other line department is a quick recipe for big trouble.

Additionally, the creation and rollout of an ERM strategy and adherence to a voluntary governance/certification framework (such as ITIL / NIST, etc.) appear to both, substantially lessen the chance of occurrence and the total cost of a dealing with a cyber crime incident.

Cyber crimes are pervasively intrusive and increasingly common occurrences

Why you ask? Many companies seem to have a cavalier or complacent attitude, at least unofficially, something akin to, "Our security is already good enough;" "We are already better than the competition;" "Those requirements don't pertain to us" etc. These hardening of the attitudes are dead wrong on several counts!

What about your company? Also, know that compliant (with whatever standard or regulation) does not necessarily mean secure! IT Risk Management (InfoSec, BC / DR, Compliance, Governance), like ERM, is a continuous improvement program, not merely an "achieve it once and forget it" project. Then there is the mixed blessing of social networking, the newest avenue for potential business growth and nefarious conduct. Some analysts estimate that 30 percent of corporate bandwidth is consumed by social networking traffic.

Some proponents argue that social networks such as Twitter and LinkedIn function as agents of business outreach. Some IT vendor support is now delivered by social media sites. In addition, public relations and marketing teams are finding value in social networking to deliver promotions. YouTube is becoming a more mainstream platform for companies' public relations efforts.

While all that may be true however, social media may also provide the gateway for viruses and malware, productivity distraction, and employees may end up discussing sensitive or proprietary information without appropriate authorisation. Furthermore, the competition and debt collectors also now use these sources to check up on companies' employees.