Cyberattacks, data breaches, information leaks – threats that haunt organizations and people. These occurrences are among the eight main global risks highlighted by the Global Report Risk 2023, from the World Economic Forum, and cause financial and reputational damage around the world. The global average cost of a data breach is estimated at US$ 4.45 million – an increase of 15.3% in three years – according to an IBM study published this year.
According to the survey Cost of a Data Breach, in Brazil, the cost per violation was US$ 1.38 million, on average, far behind countries like the United States (US$ 9.94 million), but no less worrying. In addition to being a crime, data breaches weaken operations and put strategic and confidential information of organizations at risk, with repercussions on the business and the company's image.
Fernando Carbone, partner responsible for IBM Consulting's Security Services practice in Latin America, draws attention to the biases in this cost. “For a large company, US$ 5 million may not represent anything, then it recovers”, he states. “But the reputational impact is immeasurable and, only later, will you realize the indirect financial impacts, such as the loss of customers, for example.”
Security as a business enabler
One of the biggest challenges in companies today is overcoming the perception that cybersecurity is a cost for the organization and starting to consider it as a business enabler, says Carbone. Hence the importance of positioning cybersecurity not only after a problem occurs. It is necessary to consider it strategically from the planning of new ecosystems, foreseeing the acquisition of security products and solutions, implementation of controls, in addition to the insertion of a security team in the development squads, among other initiatives.
According to Carbone, there is still a lack of greater awareness about the financial impact of the reputational damage caused by this type of criminal action, considering the time in which a strike can be sustained and the period necessary to reestablish the operation, as well as the repercussions among the business partners.
How the Ciso (Chief Information Security Offices) can contribute to the CEO and the board:
1. Educate, show the problems and the inherent impacts of the company on the risk map;
2. Elucidate the problem in terms of financial and brand losses;
3. Discuss the quantitative risk to justify the budget projection for protection solutions.
This agenda gains a more acute component with the advancement of Artificial Intelligence (AI), which, despite its numerous benefits, requires attention in relation to the threats it causes. One EY research with 1,200 CEOs, for example, points out that almost two thirds (65%) believe that more action is needed to deal with the social, ethical and criminal risks inherent to the future powered by AI – considering aspects such as cyber attacks and disinformation. Published in July 2023, the report also shows that a similar number of respondents fear that ongoing actions are insufficient to manage the significant implications and unintended consequences of AI on companies and society.
And what to do if the organization is the victim of a cyber attack or a data leak? For Carbone, prevention and preparation for an attack are always the best path, but it is necessary to admit that at some point the company could be compromised and, therefore, check how prepared it is to deal with the situation.
If the company has all of this, it will be prepared for a smaller impact, because it will deal with the situation faster, more correctly, and more robustly. If you don't have it, you will suffer more with the restoration time, with the lack of information, with making the wrong decision, with communication not flowing very well.
What does the plan have to predict if the worst happens?:
- Do we have an incident response program?
- Is the team well trained?
- Are the procedures well defined?
- Do we have the necessary tools?
- Do we have a company that supports us already linked to our plan?
- Do we have a crisis management program that reaches the executive level, with these executives trained?
In real life
From the front line of information security, Fernando Carbone reports on how organization leaders feel and deal with cyber attack situations and, additionally, recommends how to act in these situations:
The agony of those who suffer a cyber attack
“I lead this IBM service line and have led, for many years, an X-Force unit, which is a team of specialists, spread across the world, responsible for acting on major incidents with clients. In recent years, I have been present at all major incidents, following, in some way, how it happened, what the problem started, the company's level of maturity in relation to cyber, how the post-incident treatment and evolution went. . It's not a movie scenario, it's real the despair of important executives who had to focus on other business issues, paralyzed, talking about technology, hacker attacks, because gigantic operations were paralyzed. It’s a very bad situation, real, and we need to deal with it in the best possible way in terms of cost-benefit, looking at trends, the market, the business.”
The impact when the structure ceases to exist
“Three or four were marked by their complexity, their size, their impact. Today, these are clients that I take care of directly, important economic groups in Brazil. I saw large operations completely paralyzed, for weeks, seven, 10 days, without knowing how to respond to the market, to the customer, with the entire production chain impacted, incalculable losses. I caught large economic groups in the health care, industrial, transport, energy, e-commerce and financial sectors, which stopped operations. But what impacts me most is when people arrive to work and that infrastructure no longer exists and people don’t know what to do.”
Recommendations for the CEO
“Collaboration and information sharing between companies that have already been through this is important. A CEO, who was the victim of a major cyber attack and the company made significant investments to prevent a recurrence, often asks me: 'My wall is higher, am I safer?'. It is difficult to answer whether you are 100% safe, because this maxim does not exist. But we have elements to show that, because of the controls implemented, it is much more difficult for a situation to happen. The CEO always has to look at it from this point of view: what the wall looks like, how much he invests, whether he receives information from the team, whether the company handles the issue appropriately. These are questions that the Ciso (Chief Information Security Office), idleness (Chief Information Office) and other executives need to take it to him so he feels comfortable.”
Christianne Schmitt is editor of the Reputation Feed