It’s natural to think cybersecurity belongs in the IT domain. It’s technological by nature and even the term itself implies that its natural home is with IT professionals. As a result, it can be a challenge for organizational leaders to understand their current defenses along with the full ramifications of security breaches and cyberattacks.
With security tools in place, it’s easy to think you’re protected. You’ve got filters, firewalls, and the like, so you’re good, right?
Well, in both cases, the bigger picture is often being missed.
Without a cohesive cybersecurity strategy, are your organization’s key technology assets truly protected? And are your defenses the right tools for the job? More importantly, leaders need to know that issues arising “solely in the IT domain” can quickly spread to infect the entire organization. In other words, “IT problems” are just “IT problems” until they cost the whole organization large sums due to lost productivity and remediation efforts.
How to Quantify Cybersecurity Risk
One potential complication is it can be tough to quantify cybersecurity risks. But recent industry studies have provided some simple guidelines to help. Consider the following examples.
The average primary care physician office sees 2,300 patients.iAnd per a recent IT industry study, the medical field has the highest cost per breached record at $429 each due to the records containing personally identifiable information (PII).iiUsing these figures, the average U.S. primary care physician has almost $1 million in potential exposure from a security incident:
Records with PII x cost per record by industry = exposure
2,300 patients x $429/record (medical) = $986,700
Similarly, a manufacturer with $25 million in annual revenue generates about $100,000 worth of product per business day.iiiIf it were unprepared for a cybersecurity attack, production could be down for 15 days or longer, which could mean $1.5 million or more in lost revenue:
Days of downtime x cost per day of downtime = exposure
15 business days x $100,000 per day = $1.5 million
There are two additional important considerations. First, these figures are only for a single breach, and costs escalate quickly when an organization is attacked repeatedly. Second, these formulas don’t account for reputational damage and the cost of inefficiency due to team members still working but not having full access to needed systems, both of which can be substantial.
Start with STRATEGY
The first step to take is to determine your organization’s cybersecurity strategy. It can be easy to chase after security tools, especially with so many off-the-shelf solutions available. But without a protection strategy in place, your organization’s cybersecurity measures could still have vulnerabilities.
Cybersecurity incidents are ultimately business risks and must be addressed through a combination of business and IT resources. A robust strategy will ensure that your program addresses your specific business risks. Partnering with Rehmann Technology Services, you’ll identify what’s important to your organization from a technology risk perspective and how you want to protect it.
Our team also helps pinpoint where you are currently on the National Institute of Standards and Technology (NIST) implementation tiers to help guide how robust you want your program to be. This industry standard describes a range of desired proactivity as it pertains to cybersecurity, from Partial (i.e., only deal with problems as they arise) to Adaptive (i.e., constant monitoring and refinement).
These efforts will help your organization get started on an IT governance policy, including identifying key components of your cybersecurity program and who will lead the effort. The strategy phase makes cybersecurity more “known” across your organization, getting people on the same page together.
Prioritize Your Security
Without full-fledged planning and adoption, any cybersecurity strategy and tactics are less effective because protection only extends so far. The right assets may not be protected correctly, or the security toolkit could be lacking.
Plus, the numbers don’t lie – breaches and cyberattacks are becoming more common and more expensive. If you’re not protected, it’s just a matter of time before those pesky “IT problems” infect operations, the bottom line, and perhaps even your organization’s solvency.
Make cybersecurity a priority. The harder it is for attackers, even with just some simple preventive measures, the less desirable of a target you become.
By creating a solid strategy, you’ll be heading down the right path. path. By the end of this process, you’ll have a fundamental understanding of your organization’s cybersecurity situation and needs. Your team will also have a documented strategic overview, including key personnel, pointing the way forward.
Download our Free 5-Step Guide to learn more about the five steps you need to take to be CyberReady and protect your organization.
i Annals of Family Medicine, September/October 2012, “Estimating a Reasonable Patient Panel Size for Primary Care Physicians With Team-Based Task Delegation”
ii IBM and Ponemon Institute, 2021, “Cost of a Data Breach Report”
iii Assumes 250 working days per year