Conducting a Cyber Security Maturity Assessment for Your Organization
Sep 03, 2019
Have you ever considered the impact of a cyber breach on your business, and quantified what those costs would be using a cyber security risk assessment?
According to the 2018 Cost of a Data Breach Study conducted by Ponemon Institute, the average cost of a data breach for a small to a medium-sized enterprise is $3.86 million – and the average time a hacker is in the system before getting discovered is around 180 to 200 days. Although these are average numbers, they can still be applied to your business. Costs should be scaled to account for the size of your organization, for instance, are you a small or medium-sized business? By doing this, you can see how these numbers can impact your company, which includes significant damage and costs.
The costs that affect your business may vary, but some common examples of costs associated with a data breach include:
- Digital Forensic Organization Fee: This type of fee will include imaging the drives, preserving the logs, and finding out what happened, how the hacker got in, where they went, and if there is malware in the system. An average engagement fee to hire this organization is around $15,000-$20,000.
- PR Consultant and/or Attorney Fee: Legal fees are another common cost for a business experiencing a data breach. It’s vital that communications to clients about the breach and the possibility of their data being affected is conducted in the right way. This will ensure the preservation of the reputation of the brand and ensure what’s being said is reviewed by your legal counsel.
- Remediation Costs: Remediating the breach can include incremental costs as well. These costs can be the result of reimaging the servers, rebuilding the databases, buying new firewall equipment, installing VLANs, and providing better segmentation and encryption.
The costs following a breach can escalate quickly, especially if your organization is in a highly regulated industry such as healthcare. Your costs could begin at an average of $11 million even if you have an incident response plan and team in place.
Cyber security is multifaceted and there isn’t a silver bullet – everything from firewalls to encryption to endpoint, are important security measures involved in a layered cyber security approach. It can be difficult to determine what cyber security measures your organization is in need of, but one step you can take is to perform a cyber security risk assessment. You can use this to compare the risks your organization faces with the associated costs.
Cyber Security Risk Assessment: Balancing the Cost vs. Risk
As you begin to spend money, risk will be reduced, but there isn’t one specific thing that will help you to reduce the risk – it’s multifaceted. So, as the question remains – how much money should I really spend in order to reduce the risk?
According to Gartner, for organizations nominally successful in their cyber security endeavors, 6% of their IT budget should be spent on cyber security. For immature organizations, they may need to spend 15-20% to catch up to a reasonable state. It may be even more if your organization is in a heavily regulated industry. Below is a chart depicting the cost versus risk relationship associated with cyber security. This chart depicts a few key insights that are important to remember, including:
- It is impossible for any organization to achieve 100% risk elimination.
- The law of diminishing returns is present when looking at security risk vs. cost.
- An organization can find an optimization point using analysis and facts within the company.
- A company should assign risks beyond the optimal cost point.
Looking at this figure, it’s time to ask yourself where you are in the cost risk curve. A cyber security risk assessment can help you do this.
Cyber Security Maturity Assessment
Once you have determined that it’s time to take a closer look at your cyber security, it’s time to put your organization through a cyber security maturity assessment. This assessment will attempt to pinpoint the level of cyber security maturity your organization currently has and where improvements can be made.
Secuvant offers cyber security assessments that begin with an executive-level workshop to discuss the prioritization of an organization’s business objectives. Executives learn about the Secuvant Cyber 7 methodology to determine what is important to their business such as, compliance and governance (HIPAA, PCI) or data and intellectual property protection for securing patents or controls.
From the executive level workshop discussion, we analyze all cyber security efforts that are currently being implemented and determine the cyber security maturity of your organization based on the following ten factors:
- Aligns cyber risk to business risk at the executive level
- Operates a cyber security steering committee
- Understands the security gaps and risk within our business
- Creates and publishes an incident response plan
- Documents and publishes formal information security policies
- Manages 3rd party/vendor cyber security risk
- Conducts formal audits of security controls
- Understands coverages and gaps of cyber liability insurance policy
- Identifies and classifies critical and sensitive data
- Performs ongoing security training and phishing testing campaigns
To learn more about what each factor above entails and to find out where your organization scores in the cyber security maturity assessment scorecard, listen and watch VP at Secuvant, Greg Johnson’s, webinar on The Average Cost of a Cyber Breach in the U.S. here. For more information on our cyber security maturity assessment or managed detection and response services, reach out to one of our professionals at firstname.lastname@example.org or 855-732-8826.