National Cyber Security Awareness Month (NCSAM) seems like a quaint idea these days, does it not?  Unless you’ve been living under a rock, it’s tough not to be hyperaware of the nearly endless stream of news around high-profile breaches and new threat actor exploits. But like most things – awareness means little unless it translates to action.

For this year’s NCSAM, we are launching a three-part series on why cloud security matters, based on your organizational role. This week we will take a closer look at cloud security for business leaders, with future posts for compliance and DevOps professionals.

Now, if you’re a business leader, it can be easy to think of cloud security as simply an IT issue. But in reality, cyber security is about defending your reputation and bottom line from threats both external and internal, particularly as your organization looks to take advantage of the benefits offered by the cloud.

You are responsible

When you use cloud services, you need to understand that your CSP (cloud service provider) is not the only one responsible for handling security. In almost all cases, there is a shared responsibility model for cloud security, in which your CSP secures the underlying infrastructure, leaving your organization to secure whatever you put in the cloud. This means you’re responsible for securing your operating systems, applications, workloads and, most importantly, your data.
Illustration of cloud with data inside

To effectively secure your cloud workloads, you have to know what you’re putting into your cloud infrastructure. This can be done through data classification and other secure data management practices. The accessibility and user-friendly nature of cloud computing solutions have accelerated the proliferation of shadow IT (i.e., the practice of using IT solutions without the organization’s explicit approval). In a global survey conducted by Brocade in 2015, 83 percent of respondents – all CIOs – expected unsanctioned procurement of cloud services to rise. This can expose your corporate network to myriad unexpected vulnerabilities, making data classification all the more important.

Employees can either be assets or liabilities

Employees play a critical role in the overall security of an organization. Most of the cyber attacks experienced by companies every year are indirectly caused by a lack of broad internal awareness and understanding of good security practices.

In a study by the Ponemon Institute , 70 percent of organizations experienced phishing and social engineering attacks. These types of attacks aren’t targeted at network devices or IT systems; rather, they’re specifically targeted at people in the organization. Social engineering and email are both deceptive acts that dupe people into providing confidential information, like login credentials or credit card data.

Even if you look into other types of cyber attacks – like ransomware – a significant portion are also caused by end-user security missteps.

There are serious legal and regulatory risks

Depending on the type of data you’re handling, the industry your business belongs to, or the state or region you’re operating in, your company may be governed by certain data protection/security laws and regulations.

For example, if you operate in the U.S. healthcare industry, you will have to develop safeguards for securing any electronic protected health information (ePHI) and meet a laundry list of HIPAA requirements. Or, if you’re handling credit card data, you may likewise have to meet PCI DSS requirements.

Failure to do so can be costly. Last year, Advocate Health Care had to agree to a $5.55 million settlement with the HHS’ Office for Civil Rights as a result of HIPAA violations.  So that you know, Advocate wasn’t the only HIPAA covered entity compelled to pay a multi-million settlement fine in 2016.[1]

Last but not the least, you could also face lawsuits from customers impacted by any data breach incident.

Your reputation hinges on it

Data breaches, particularly those that involve customer data, can be a brand image nightmare. These incidents negatively impact customer trust and loyalty and eventually lead to increased churn rates.

In a 2015 survey conducted by PWC, respondents were asked what made a particular incident ‘the worst’. Of 39 organizations, 16 responded that ‘damage to their reputation’ had the greatest impact. The findings added that this was an increasing trend, up from 30 percent in 2014 to 41 percent in 2015.[2]

Data breaches don’t just harm a brand’s image. They can also degrade your personal reputation as the head of an organization. CEOs and other executives have been forced to resign from companies like Target, Avid Life Media (parent company of Ashley Madison) and Sony Pictures after their organizations suffered a data breach.

It impacts your bottom line

Business leaders are seldom concerned with non-core business functions unless they affect the bottom line. The financial consequences of a weak or non-existent security program can be far-reaching, and can even force a business to close its doors.

Ponemon Institute’s annual Cost of Data Breach Study  includes various correlations between data breaches, customer churn, and the corresponding cost. In the 2017 edition of this study, it found that organizations that lost less than 1 percent of their customer base after a breach incurred an average total cost of $2.6 million, while organizations that lost 4 percent or more incurred an average cost of $5.1 million.

Add to that, breaches are expensive in and of themselves. The average cost of a breach has increased 62 percent over the past five years, and the costs go up the longer it takes to detect and contain a breach.

Finally, breaches often result in downtime while a company works to recover. Gartner estimated downtime to cost more than $300,000 per hour.[3] That was three years ago. We could imagine, since more business operations are now highly dependent on network uptime, these costs will only continue to grow.

To dive deeper into each of the areas discussed above – and to learn what you can be doing as a business leader click here to read our full analysis on why security matters for business leaders.

Next week, check back in our latest post that will highlight why security matters for compliance professionals. Happy NCSAM!

__________________________________________________________________________________

 

Sources:

[1] https://www.beckershospitalreview.com/healthcare-information-technology/6-largest-hipaa-settlement-fines-of-2016.html

[2] PWC, 2015 Information Security Breaches Survey

[3] http://blogs.gartner.com/andrew-lerner/2014/07/16/the-cost-of-downtime/