Quantifying Risk: The Reality of Cyber Threats
Have you heard the Steve Martin quote “Be so good they can’t ignore you”? The outcome of following this advice is typically positive for society. But unfortunately, our cyber adversaries have also tackled this quest and through rapid advancements, ultimately pose a greater and more constant threat to business and consumers alike, a threat which we can’t ignore.
Let’s take a quick look into the reality of cyber threats to gain an understanding of how frequent and common they can be.
The following is a cyber threat map developed by Kaspersky and based on Kaspersky data sources:
It’s important to note that this is not a complete data set and doesn’t show all attacks in process at any given moment. Another interesting exercise is to look at monitoring data for an organization’s firewall and intrusion prevention or detection systems. Networks are constantly under attack from automated scanners to more active and intentional threat actors. As of early February 2017, there has already been over 25 healthcare related breaches, report via the Office for Civil Rights (OCR)!
There are four approaches to dealing with risk:
- Reduce or Mitigate
- Implement controls and countermeasures
- Assign or Transfer
- For example, insurance (assignment) and outsourcing (transfer).
- What is your risk tolerance/appetite? Management evaluates the risk and determines whether to accept the risk and the related consequences of not implementing controls.
- Reject or Ignore
So how do we quantify the dollar cost of a data breach? According to IBM and Ponemon Institute’s 2016 Cost of Data Breach Study: United States, the average cost for each record disclosed in a breach is $221. The report shows the average total cost of a data breach to be ~$7 million.
Now that we have some hard data, we can look at an example:
So if this example organization suffered a breach that disclosed 10,000 records, the associated cost is $2.21 million!
The primary take away from this discussion is not intended to be a case of uncontrollable heartburn, but rather, an increased awareness that cyber threats are very real and cannot simply be ignored. The first step is acknowledging that the 4th risk management “option”, is not an option at all (not to mention potentially negligent), and to realize that with some effort, we can develop legitimate risk models that take into account what a breach would cost, quantify risk based on market data, evaluate qualitative factors, and leverage the results to make informed business decisions.
Contact our cyber-security partner, David Buchanan, if you would like to schedule a white-boarding session and take the next steps to managing your organization’s risk.
Delap LLP is one of Portland’s largest local tax, assurance, wealth advisory, and information security consulting firms, located in Lake Oswego, Oregon.