Cyber attacks cost the U.S. economy more than $100 billion in 2012 according to a study called "The Economic Impact of Cybercrime and Cyber Espionage," released by the social research firm Center for Strategic and International Studies. Of course, that number doesn’t include the damage to affected organizations’ reputations. That cost is impossible to calculate.
One thing is certain: computer security is no longer a technical challenge. It has become a strategic business issue, which makes it the business of the board of directors. Regulators have made it clear that protecting the enterprise’s digital assets is a critical part of the board’s fiduciary responsibility.
It’s not an issue of “if” an attack will occur, but rather “when,” stated Korn/Ferry International’s Board & CEO Services Practice’s Nels Olson, Aileen Alexander, and Jamey Cummings in a November 4 BloombergBusinessWeek.com article. The first step is to ensure that someone on the board — or someone who reports to the board — is cybersecurity savvy, they said. According to the article, boards are encouraged to prepare for an attack by:
- Conducting a thorough assessment of the organization’s current information security capabilities and vulnerabilities
- Reviewing security and privacy budgets, company security policies, and leadership roles and responsibilities
- Ensuring that the company has a strategic vision and plan for proactively protecting assets to keep pace with escalating threats and evolving regulatory requirements
- Developing a comprehensive incident response plan that is rehearsed, stress-tested, and publicly supported by senior management
- Confirming that the organization has the necessary leadership and talent to develop, communicate, and implement an enterprise-wide plan to manage cyber risk
- Implementing a strong communication and education program to raise awareness and encourage all employees to embrace responsibility for cybersecurity