1. CorporateGovernor
Unprepared organizations pay
more for cyberattacks
Providing vision and advice for management, boards of directors and audit committees Winter 2015
4 ways to prepare for a breach
Lay the foundation for your cybersecurity defense
with these four steps:
1. Data mapping and classification. Before you
come up with a plan to protect your data, you
need to know what you are protecting. That’s
where data mapping comes in. It’s the digital
equivalent of going through your home and
inventorying your valuables for insurance
purposes. Data mapping can help you answer
important questions like: “What are the crown
jewels of our business?” “Is IP important?” “Are
we an information-gathering or data-hosting
firm?” You need to know what your assets are —
as well as their value — in order to protect them.
Skip Westfall, Managing Director, Forensic and Valuation Services
For those of you with your head in the sand, trying
to avoid thinking about cybersecurity, it will cost
you — literally. In 2013, 43% of organizations
experienced a data breach, each costing an average of
$5.9 million or $145 per record of information.1
Of those breached companies, 62% lacked an
incident management plan; those with a plan in place
reduced the cost per record by $12.77.
You can’t afford to sit around and hope a cyberattack
won’t happen. The best thing you can do is be
proactive. Come up with a plan and ask yourself:
What can we do to prepare our company?
1
Ponemon Institute. 2014 Cost of Data Breach Study, May 5, 2014. See ibm.com/services/costofbreach for details.
2. 2 CorporateGovernor – Winter 2015
Unprepared organizations pay more for cyberattacks
2. Conduct a vendor assessment. You need to
account for data held by business partners,
vendors and other third parties — not just the
data stored within your organization. Are they
protecting data with the same fervor you are? To
find out, it’s critical to conduct an assessment of
your partners’ cybersecurity measures and assess
your vendors’ management processes. You’ll need
to determine how these organizations will protect
your data, either through contractual agreements,
assessments or audits. Depending on the size of
your organization, your vendor management
group may be able to handle this, or it might
require a combined effort, with your accounting
group and IT security staff working together to
look at vendors.
3. Create a risk profile. There’s no way to know
exactly how vulnerable your systems are without
having someone try to hack them. Hire an outside
firm to conduct a vulnerability assessment and
penetration test (i.e., ethical hacking). Form a risk
profile based on its report and identify the biggest
weaknesses in your systems. The information will
help you decide where to allocate your resources
and what areas to prioritize.
4. Create an incident response (IR) team and
develop a plan of action. While cybersecurity may
seem like a specialized issue, it has a much broader
impact than your run-of-the-mill IT matter. As
such, you’ll want to have a defined IR team at
your disposal to help tackle any potential breaches.
Some organizations appoint a chief information
security officer to oversee cybersecurity efforts
and report to the internal audit leader or CFO.
The creation of such a position can decrease the
cost per record of information by $6.59.2
The
rest of the team should include representatives
from all data custodians, such as HR, marketing,
accounting and RD, as well as the security officer
and IT director. In some cases, you’ll also want to
include any vendors or partners that have access to
your data, as well as members of your PR team, a
federal law enforcement official, and a specialized
consultant who can help you in case of a breach.
With your team activated, you can create an
IR plan to outline your responses to various
scenarios, establish a base of operations and name
a single point of contact. Your risk profile and
IR plan should be living documents. Ideally, you
should conduct a vulnerability assessment and
penetration test every six months, updating the
risk profile and informing the IR team of the
results so they are aware of the evolving strategy.
If you do things right and have a team and plan in
place, you can counter a cybersecurity issue and
restore faith in your brand in less than a day.
Even after these steps have been taken, your work is
not done. Your organization must maintain constant
vigilance and be proactive. The IR team should meet
with stakeholders and update its risk profile regularly
— at least once a quarter — and as the organization
evolves, so should its risk profile.
2
Ibid.
3. 3 CorporateGovernor – Winter 2015
Unprepared organizations pay more for cyberattacks
What to do if you experience a breach
Planning and risk mitigation are important, but they
cannot guarantee protection from an attack. If you
experience a breach, the first thing to do is notify
outside counsel, who will direct your team as they
start executing your IR plan. Bring all the stakeholders
to the table and keep any relevant parties apprised of
your team’s findings.
Your IT services adviser should act quickly to
assess and report on the extent of the breach, ideally
within 12–18 hours. Your adviser will then perform
data analytics on server logs, routers and network
operations devices to understand anomalies and
determine where the breach originated. They will
address whether the breach was internal or external,
or possibly even employee-assisted. Perhaps your
systems were never actually breached, but hackers
were able to get in through a third-party channel.
The adviser will collect email from servers, as well as
review unstructured data to determine whether your
organization did what it could to prevent the breach.
Finally, upon completing the investigation, the adviser
should work with your IR team to preserve your
data for remediation purposes, patch holes or remove
malware, and get your organization back online to
avoid operation delays.
After the initial crisis, your adviser will work with the
in-house IT team to replace any corrupt systems and
implement projects to address security weaknesses.
You may need litigation support, project management
and PR services. Long term, you’ll likely work with
IT analysts, industry experts and other specialists to
assess processes and make any necessary changes to
the IR plan.
Plan now, thank yourself later
Ignoring cybersecurity issues will cost you. Ask
yourself what you can do to bolster your internal
defenses, and then take steps to establish an IR plan.
The immediate benefit will be the peace of mind
you’ll get from your actions. Should you experience a
breach, the money and brand reputation you will save
will be invaluable. So don’t be sorry, be prepared.
Contacts
Skip Westfall
Managing Director
Forensic and Valuation Services
T +1 832 476 5000
E skip.westfall@us.gt.com
Brad Preber
National Managing Partner
Forensic and Valuation Services
T +1 602 474 3440
E brad.preber@us.gt.com
Editor
Evangeline Umali Hannum
E evangeline.umalihannum@
us.gt.com