The bad guys are getting smarter. Whether they are terrorists who realize another way to hurt the world and advance their agenda is to destabilize the economies of developed nations, especially leaders like the USA, disgruntled insiders, or "ordinary" criminals with a predominant profit motive, cyber crimes are increasing and becoming more costly. In information technology security circles, there is some buzz about a July 2010 Cost of Cyber Crime Benchmark Study of a representative sampling of US companies conducted by the Ponemon Institute. This organisation conducts independent research on privacy, data protection, and information security policy.
The point that the Institute is seemingly trying to make with their representative study is that Enterprise Risk Management (ERM), especially as it relates to IT, needs to ramp up; companies are getting lax again/still and re-assuming an attitude of "it" (i.e.: bad things) won't happen to them. The 23-page Ponemon Institute report is available online at their website but, here is a high-level, seven-point summary and my input of how the information may relate to your company's situation.
Cyber crimes are far more costly than taking steps to harden an environment beforehand
The study reports that the average for response costs for companies that were impacted was $3.8 million per year. The cost of the technologies and processes that could have effectively mitigated or prevented the same incidents, were generally less than 1/3 the cost. In other words, and rather obviously, pre-planning and mitigation is a heck of a lot cheaper, in most cases, than merely reacting with an ad hoc response after an incident/breach.
Even more importantly, the appointment of a single top executive responsible for enterprise risk management, a la a Chief Security Officer, or better still, a Chief Risk Officer is a critical factor for success. Often autonomously reporting straight to the board of directors and with a true enterprise-wide view, not just technology centric, this executive can appropriately ensure that risk management is "baked in" at the start of projects and programs, rather than merely "bolted on" haphazardly as an afterthought. Also, merely relegating IT security and risk management to some "underling" as one facet of a job in some other line department is a quick recipe for big trouble.
Additionally, the creation and rollout of an ERM strategy and adherence to a voluntary governance/certification framework (such as ITIL / NIST, etc.) appear to both, substantially lessen the chance of occurrence and the total cost of a dealing with a cyber crime incident.
Cyber crimes are pervasively intrusive and increasingly common occurrences
Why you ask? Many companies seem to have a cavalier or complacent attitude, at least unofficially, something akin to, "Our security is already good enough;" "We are already better than the competition;" "Those requirements don't pertain to us" etc. These hardening of the attitudes are dead wrong on several counts!
What about your company? Also, know that compliant (with whatever standard or regulation) does not necessarily mean secure! IT Risk Management (InfoSec, BC / DR, Compliance, Governance), like ERM, is a continuous improvement program, not merely an "achieve it once and forget it" project. Then there is the mixed blessing of social networking, the newest avenue for potential business growth and nefarious conduct. Some analysts estimate that 30 percent of corporate bandwidth is consumed by social networking traffic.
Some proponents argue that social networks such as Twitter and LinkedIn function as agents of business outreach. Some IT vendor support is now delivered by social media sites. In addition, public relations and marketing teams are finding value in social networking to deliver promotions. YouTube is becoming a more mainstream platform for companies' public relations efforts.
While all that may be true however, social media may also provide the gateway for viruses and malware, productivity distraction, and employees may end up discussing sensitive or proprietary information without appropriate authorisation. Furthermore, the competition and debt collectors also now use these sources to check up on companies' employees.