Why risk scoring is critical for your business (and your career)
Published: Dec 11, 2018
Author: John Loveland
There was a time, not all that long ago, when data security was chiefly a concern for IT and IT alone. Hacks and breaches were problems for them to identify and deal with, while the rest of the business went along its merry way.
Those days are officially over. Organizations are more connected, less siloed, and more dependent on data than ever before. This has resulted in more data in more places, with more opportunities for a breach due to accidental exposure, internal malicious data theft, and external attacks. We at Verizon examined 53,000 incidents and 2,216 confirmed data breaches as part of our 2018 Data Breach Investigations Report, both new records for our analysis.
Meanwhile, data breaches have graduated from minor irritants to a full-blown existential risk for organizations and careers alike. Here’s just a few of the ways a data breach impacts your entire business, not just your IT department.
Your people and your business rely on data to work. Ransomware has doubled year over year once again. So what happens when your data gets locked up in a ransomware attack? Most likely, work grinds to a halt as employees lose access to important files or even their laptops for hours or days. Imagine the chaos that would take place if your business took a sudden, unplanned break in operations.
Of course, you don’t have to imagine. Just ask FedEx. The organization reported a $300 million loss in its 2017 Q1 report due to the Petya ransomware virus attack. The attack froze computers at their Dutch subsidiary, encrypting files and threatening to delete them unless a ransom was paid—and then sometimes deleting the data even if the ransom was paid anyway. The attack significantly impacted delivery volume, which led to reduced revenue and profit for the quarter.
Tarnished brand value
Even once your systems are back to full speed, the damage to your brand can linger for months or years. Equifax’s reputation was damaged almost overnight as a result of their data breach and mismanagement in helping affected consumers. As a result, the organization suffered a 33-point 10-day drop in their brand score as measured by YouGov BrandIndex, the second largest drop in brand value on record. This loss of brand value can lead to lost market share as burned customers ditch your brand for more secure competitors (or if not more secure, at least not on the front page).
Recovering from a breach can be a full-time job. In a study of post-breach impacts of cyberattacks, the remediation process took 23 percent of respondents up to three months to fully remediate breaches. A stunning 38 percent took three months or longer to fully remediate their breaches. Together, that’s more than half of all organizations taking months more of their time, energy, executive focus and budget to handle the security fix, remediation, lawsuits and fines.
According to that same study, remediation costs can run as low as $1,000 to more than $100 million, depending on the type and severity of the attack. While a cyberattack is unlikely to put a large enterprise out of business, it can certainly put their leaders out of a job. CEOs at Equifax, FACC, Sony and Target were all removed due to data breaches at their organizations, while countless CIOs, IT security managers, finance directors, board members, and employees responsible for breaches have lost their jobs due to preventable attacks that took place on their watch.
The business imperative for risk scoring
Cybersecurity is not just an IT issue any more. Because of that, cybersecurity needs to be put in a framework that businesses can take action against and that’s why companies need to understand their risk profiles. That’s where risk scoring comes in. By using a systematic process to identify and define your current level of risk, you can then prioritize the initiatives and resources needed to improve your score and become more secure.
With all your security investments, it’s easy to be overconfident that you’re protected. However, it takes just one breach to cost your organization millions and you your job. With risk scoring, you can easily understand where your organization stands in an ever-changing threat environment on a daily basis, giving you the insight you need to best allocate your budget, time, and resources.
With the Verizon Risk Report, you can not only assess your enterprise’s chances of a breach but also determine what you need to do to fix any gaps in your security. This data-driven approach can help you build your security strategy, make more informed decisions, and improve the ROI of your security investments. Learn more about the Verizon Risk Report.
John Loveland leads cybersecurity strategy and marketing for Verizon Enterprise Services. He is a seasoned technology industry executive and entrepreneur with 20+ years' experience in leadership positions with public, private and start-up companies. A pioneer in the information risk management disciplines, John has founded companies and built practices in the areas of cyber risk, electronic discovery, regulatory compliance, data privacy, and enterprise information governance.