Fall 2015 Issue of Horizons

With the increasing risks and costs of cyber security, knowing how to protect your company is critical. Cyber risk must be managed as an ongoing organization-wide concern, not just an IT issue. The first step is to admit that the threat is real and your company could be a target. According to the Ponemon Institute’s 2015 Cost of Data Breach Study: Global Analysis , U.S. companies had the most costly data breaches worldwide on average ($217 per record) and, on average, U.S. companies had data breaches that resulted in the greatest number of exposed or compromised records (28,070). According to the report, the global average cost of a breach rose to $1.57 million and the United States average cost rose to over $6 million. One disturbing phenomenon that has grown exponentially over the past decade is social engineering – the use of human assets and vulnerabilities to try to break into systems. Examples include hackers calling people to try to gain information, picking up access codes or entry cards by “shoulder surfing” employees, sending phishing emails, placing calls asking users to update computers or software – all in order to gain context or credentials for hacking into your systems. Phishing email attacks are increasingly sophisticated, presenting seemingly legitimate information with disastrous consequences. The increasing sophistication includes methods to bypass email filtering (so the attack reaches the end-user) and significantly better emails (so your end-users are more likely to click). It is nearly guaranteed (i.e., likelihood approaching 100%) someone, at some point, is going to click on a link or attachment. The question is: Will you know when it has happened and are you equipped to deal with it effectively? Tone at the Top First, setting the governance perspective over the importance of security is a critical step. Cyber security has risen to become one of the top boardroom issues, according to a recent study conducted by the Georgia Tech Information Security Center. The report indicates that nearly two-thirds (63%) of boards and executives of Forbes Global 200 companies are actively addressing computer and information security, up from 33% in 2012. The survey also indicates that, now more than ever, these boards and executives understand that they have a fiduciary duty to protect the digital assets of their companies and are now paying more than “cursory attention to cyber risks.” Getting Serious About Protecting Your Company Protecting your company against attacks is certainly possible, but it requires focus, vigilance and a sprinkling of paranoia. First, determine what is known about your company’s data, where and how it is accessed and how it is protected.

www.RubinBrown.com | page 17