Business Continuity Management: Reducing Risk Before a Time of Crisis
How often are you in the middle of your own crisis? You know, the moment someone calls you and starts the conversation with, “We have a problem,” or worse, you glance at your favorite electronic newspaper and read about your company alongside words like “hacked,” “cyberattack” and “outage.”
According to The New York Times, for several years, the running joke among security experts has been that there are two types of companies: those that have been hacked and those that don’t know they’ve been hacked yet.
Looking at statistics published by the Ponemon Institute, the first thing that pops up on the research think tank’s home page states that 45 percent of senior executives surveyed said their company experiences cyberattacks hourly or daily.
This is a pretty huge statistic. If you connect the dots between the security experts’ joke and the Ponemon Institute’s figure, about 55 percent of companies have already been hacked or are under attack and just don’t know it.
Avoiding the High Costs Associated With a Crisis
This brings me to the “2016 Cost of Data Breach Study: Impact of Business Continuity Management,” which is a continuation of research the Ponemon Institute began in 2005. The study is a 31-page statistical wonderland that reinforces what many of us in this space already know: The cost of a data breach is expensive, and that cost is only going up.
Another not-so-surprising conclusion is that companies who take an ostrich approach to security and aren’t pragmatic when dealing with today’s ever-growing litany of cyberthreats will incur even more costs associated with recovering from a data breach. These companies will take longer to identify breaches, take longer to contain breaches and incur significantly higher costs in mitigating breaches than those who actively work toward protecting their business, clients and brand image.
Looking at the 383 organizations interviewed across 12 countries, roughly half had a business continuity management (BCM) program. Of those, 95 percent felt their BCM program made a significant or very significant contribution to improving the company’s ability to respond to an incident.
For companies that apply a structured, disciplined and organized approach that includes all stakeholders, the probability of performing better in a crisis is obvious. Having just a cyber incident management team is good, but it’s not enough. As demonstrated by the Ponemon Institute study, having a BCM program significantly improves a firm’s ability to identify, defend and defeat a cyber crisis.
It All Starts With Preparation
This all starts with how a company balances risk and its budget. The equation goes something like this: If you have an unlimited risk management budget, you could eliminate all risk in your company. Conversely, if you had a $0 risk budget, your company’s risk would be sky-high and your company likely wouldn’t be around for long.
Determining the right balance between budget and risk is quite difficult and is often elevated to a board discussion. Once your company appears in the news in conjunction with negative hack-related words, the risk budget miraculously grows. So, why wait?
Then there’s BCM governance and execution. Many companies have an incident management response team, malicious code prevention software and other cool tools. However, without proper governance and execution, these systems run in silos with no cohesive connection between the technology team, the businesspeople and the senior executives being held responsible for technology, processes and communications.
Sure, there are other elements important to a BCM program, such as cross-representation between BCM and cyber teams, increased and expanded cyberattaack simulation testing and effective crisis management teams. However, without a meaningful budget and proper governance with execution, these other elements aren’t as effective.
The key message from the Ponemon Institute study is that all companies need a BCM program — it is a critical connector that ties business teams to technical teams and to senior executives.