With the increase in frequency and severity of cyber-attacks and other cyber-crimes, businesses are finding that maintaining information security has become a top priority for senior management. In fact, a survey conducted by the Bureau of Justice Statistics revealed that almost 70 percent of the businesses surveyed had been the target of at least one cyber-crime.
A cyber-crime includes all computer security incidents, including cyber-attacks and cyber-theft. A cyber-attack occurs when a criminal attacks the computer system of a target using computer viruses, denial of service attacks or another form of computer sabotage or vandalism. Cyber-theft occurs when a criminal uses a computer to steal money or services, including incidents of embezzlement, theft of intellectual property and theft of personal or financial data.
The Financial and Business Impact of Cyber-crimes
These crimes used to be the province of mischievous young adults who wanted to prove their hacking abilities. However, because of the potential for lucrative payouts, the criminals have become increasingly sophisticated and organized. In fact, the Bureau of Justice Statistics survey revealed that the monetary cost of cyber-crimes frequently exceeded $10,000 and resulted in system downtime of more than one day.
In addition to the financial cost and inconvenience associated with cyber-crimes, companies need to be concerned with the risk to reputation and loss of customer confidence that can result from these cyber-crimes. As the use of technology continues to grow and as cyber criminals become more aggressive and skilled, companies can expect an increase in the frequency of cyber-crimes. The survey by the Bureau of Justice Statistics reveals that approximately 85 percent of companies that were victims of cyber-crime were targeted on multiple occasions.
The Need for Increased Information Security
As cyber-criminal activity has increased, companies have responded with increased information security. Many companies now have information technology departments, which include a chief information security officer. These individuals are responsible for the company’s system security and report directly to senior management and the company’s Board of Directors.
The Importance of a Security Governance Board
In addition, many companies are creating security governance boards that are charged with reviewing and maintaining the company’s information security policies. Another important task of these boards is keeping informed about new cyber-attack methods and approaches, as well as the company’s particular vulnerabilities to cyber crimes.
A security governance board operates like any other committee of a Board of Directors. The security governance board should include at least one member of senior management, the company’s chief information security officer, a legal advisor and outside directors or individuals with significant business or personal experience with respect to enterprise and information security.
The responsibilities of a security governance board include reviewing, auditing and testing current information security procedures and protocols. The security governance board is also responsible for reporting these results and recommended improvements to senior management and the Board of Directors.
Companies that make information and enterprise security a high priority may be able to reduce the incidence and severity of cyber-crimes initiated against them. An established security governance board is an important tool because it creates a centralized resource for identifying and protecting a company’s digital assets, financial resources and reputation.