Talk about awareness: With increased knowledge, frequency, sophistication, and impact on the business, cyber security planning and protection has gone from an operational concern to a vital piece of the strategic agenda of boards and chief executives.
That kind of awareness should push the need for all companies to create a plan for a secure environment.
The catch, though, is senior levels of the business still face an information gap that makes it difficult for them to align investments in risk protection to the true strategic value of an organization’s digital assets; this, according to a report by global business consulting firm Bain & Company.
The report shows:
• The median cost of cybercrimes jumped 56 percent to $5.9 million per organization in 2011 over 2010, the most recent data available
• Web-based attacks during the same period increased to 4,500 per day, a 36 percent rise
• Mobile malware quadrupled in 2013, with Android attacks increasing 26 times
• DDoS attacks increased 27 percent in the same period
• Financial motives now drive nearly 95 percent of cyber attacks, placing the target squarely on strategic assets that can end up monetized after a breach.
Every organization that has suffered a breach has also already had some form of cyber security in place, the report said. Beyond that, too many organizations fail to align IT security capabilities with larger goals and overall risk. That spells out a lack of quality risk management and points toward reactive security.
The report points to disconnects between an organization’s risk management efforts and the development of necessary security capabilities as a hidden cause behind individual incidents. That disconnect occurs because business groups and IT often fail to discuss emerging threats or the relative importance of different kinds of digital assets.
Instead, compliance obligations, not strategy implications, are the greatest driver for security considerations for three-in-four CIOs, the report said. The finding demonstrates the over reliance operational approaches to security.