BUSINESSMANAGEMENTREVIEW.COMDECEMBER - JANUARY19It is at this point where the team realizes that the vendor did not send out these coupons to dormant customers, but they were sent to active customers as well. The active list has 120,000 customers, and each one possesses a $20 coupon. Assuming 60 percent penetration, the cost of the program should have been approximately $120,000. With the error (using the same penetration rate of 60 percent), the cost of the project rises to over $1.8M.Scenario #2 ­ The Company receives a report of suspicious activity on a particular piece of business. Upon further investigation, it was revealed that a portal to proprietary customer information had been open for a certain period of time. Once the portal was accessed by nefarious means, the information was placed for sale on the dark web. Remediation of this loss could be exceptionally expensive. Credit monitoring and restoration for affected customers, along with filings with each state where individuals were affected, could cost millions of dollars, with most of this being legal fees.In both scenarios, the inability of an organization to recognize `leaks' in the infrastructure can and will lead to financial consequences. This is far beyond anything envisioned when the initial cyber program was first implemented, prior to when these loss exposures were even recognized.The control and management of the cyber infrastructure needs to be fundamental to the security process. These two scenarios reveal that an organization should not only `plug the holes', but also manage and train staff to recognize the potential for severe losses and provide them with the resources and training to mitigate such potential losses before they occur.In the first scenario, there was no breach in the process, yet the management of the program may have led to a costly error. In this case, the internal project manager had become comfortable with the vendor over the years, and they allowed the vendor to oversee parts of the process that the PM should have been processing.Since the management of the process was ceded to some degree, the vendor caused the error when the PM allowed the vendor to `push the button' to activate the project. The lack of oversight and attention led directly to the error, costing the company a couple of million dollars and a severing of business relationships that had existed for years.In Scenario #2, the legacy infrastructure, when upgraded or replaced, probably caused this breach. The actual breach occurred when the open portal was discovered, and this most likely happened because the legacy infrastructure did not recognize it as a problem. Also, some of the tactics used today to hack into a company's computer probably did not exist when the legacy hardware was installed, or it may not have been recognized by the newer program.Cyber liability insurance, while a necessity in today's business environment, is becoming quite expensive, even with higher deductibles and lower limits. If a company decides not to purchase cyber insurance, they are taking a chance that could adversely affect the company's bottom line and could also threaten the overall business continuity of the company.So, if you believe that you are safe from a breach, you are wrong. Hackers are getting better as computers get more sophisticated. Each business can mitigate its risk through fault analysis, and looking at the software AND the operators of these processes is key to mitigation.Mitigation will not only reduce the frequency and severity of a breach, but it will also lead to lower insurance costs, as well as protect the company from interruptions/financial losses due to a breach. THE CONTROL AND MANAGEMENT OF THE CYBER INFRASTRUCTURE NEEDS TO BE FUNDAMENTAL TO THE SECURITY PROCESS
< Page 9 | Page 11 >