Most companies do a poor job of handling cybersecurity, even as their losses to cybercrime continue to mount, according to a report issued this month by the Internet Security Alliance and the American National Standards Institute. That’s because companies tend to turn over too much responsibility for cybersecurity to their IT departments — which may already be overburdened — and don’t involve the business side as much as they should. “Cybersecurity is far more than than a simple technical glitch,” said Larry Clinton, the CEO of ISA, in an interview. “It’s an enterprise-wide risk, an economic strategic issue, and people are not explaining it enough.” Called The Financial Management of Cyber Risk, the report is intended to be a handbook for companies on how to get their chief financial officers and other senior business staff involved in cybersecurity decisions so the company can better understand its true risk. The report cites federal data from 2008 estimating that businesses have lost more than $1 trillion in stolen intellectual property — and that number excludes losses due to theft of personally identifiable information, system downtime, bad publicity and customers who take their business elsewhere after a breach. Despite those losses, spending on cybersecurity has been reduced or deferred in the last year or so due to the economic downturn, and less than half of companies have a formal plan to manage information security risk. According to research by Deloitte, which the report cited, three quarters of U.S. companies have no chief risk officer, and almost none involve the chief financial officer in managing their risks. Also, senior executives have the additional disadvantage of being too old to have grown up with computers — they are “digital immigrants,” the report said, and are likely to face “‘language barriers’ when it comes to the rhetoric of information security.” ISA and ANSI have developed a six-step plan for companies to improve the way they handle cybersecurity — they developed this by meeting with people from 60 private sector organizations and government agencies at a series of conferences across the U.S.

Six Prevention Steps

The good news is that most cyberattacks are unsophisticated and can be easily prevented, according to data from PricewaterhouseCoopers, the CIA, and the NSA — the NSA’s Richard Schaffer told Congress last November that 80 percent of cyberattacks could be prevented “by using existing standards/practices and technologies.” So here are the six steps:

1) Own the problem. IT people may need to educate their bosses on what the problem is — what role technology plays in the organization and how the IT department works.
2) Appoint a cyber risk team with employees from across the organization. (The report helps identify who should be represented).
3) Hold regular meetings, and meet in person if you can. Otherwise use videoconferencing so people can see each other.
4) Use this group to develop a cyber risk plan that includes your IT architecture, its levels of risk and an incident-response plan in case of a breach.
5) Then develop a cyber risk budget based on the estimated cost to your company of a breach.
6) Implement and test your plan. Then use it.

Clinton said there’s been good response to the report so far. The FDIC has asked for a presentation, and Loyola University is looking at making cyber risk a part of its MBA program. Ultimately, though, he thinks companies are going to have to restructure themselves if they want to handle cyber risk. “American business has silos, with segmented roles and responsibilities, but cyber cuts across all those,” he said. “We have to rethink how to structure our businesses, and the rules of warfare, and our notions of privacy and the relations between the private sector and government. It’s the private sector now on the front lines of defense.” The report has been endorsed by Melissa Hathaway, who was President Obama’s interim cybersecurity coordinator before Howard Schmidt was appointed to the post in December.