Corporate Governor

Unprepared organizations pay more for cyberattacks

Providing vision and advice for management, boards of directors and audit committees Winter 2015

4 ways to prepare for a breach Lay the foundation for your cybersecurity defense with these four steps:

1. Data mapping and classification. Before you come up with a plan to protect your data, you need to know what you are protecting. That’s where data mapping comes in. It’s the digital equivalent of going through your home and inventorying your valuables for insurance purposes. Data mapping can help you answer important questions like: “What are the crown jewels of our business?” “Is IP important?” “Are we an information-gathering or data-hosting firm?” You need to know what your assets are — as well as their value — in order to protect them.

Skip Westfall, Managing Director, Forensic and Valuation Services

For those of you with your head in the sand, trying to avoid thinking about cybersecurity, it will cost you — literally. In 2013, 43% of organizations experienced a data breach, each costing an average of $5.9 million or $145 per record of information.1 Of those breached companies, 62% lacked an incident management plan; those with a plan in place reduced the cost per record by $12.77.

You can’t afford to sit around and hope a cyberattack won’t happen. The best thing you can do is be proactive. Come up with a plan and ask yourself: What can we do to prepare our company?

1 Ponemon Institute. 2014 Cost of Data Breach Study, May 5, 2014. See ibm.com/services/costofbreach for details.

2 CorporateGovernor – Winter 2015

Unprepared organizations pay more for cyberattacks

2. Conduct a vendor assessment. You need to account for data held by business partners, vendors and other third parties — not just the data stored within your organization. Are they protecting data with the same fervor you are? To find out, it’s critical to conduct an assessment of your partners’ cybersecurity measures and assess your vendors’ management processes. You’ll need to determine how these organizations will protect your data, either through contractual agreements, assessments or audits. Depending on the size of your organization, your vendor management group may be able to handle this, or it might require a combined effort, with your accounting group and IT security staff working together to look at vendors.

3. Create a risk profile. There’s no way to know exactly how vulnerable your systems are without having someone try to hack them. Hire an outside firm to conduct a vulnerability assessment and penetration test (i.e., ethical hacking). Form a risk profile based on its report and identify the biggest weaknesses in your systems. The information will help you decide where to allocate your resources and what areas to prioritize.

4. Create an incident response (IR) team and develop a plan of action. While cybersecurity may seem like a specialized issue, it has a much broader impact than your run-of-the-mill IT matter. As such, you’ll want to have a defined IR team at your disposal to help tackle any potential breaches. Some organizations appoint a chief information security officer to oversee cybersecurity efforts and report to the internal audit leader or CFO. The creation of such a position can decrease the cost per record of information by $6.59.2 The rest of the team should include representatives from all data custodians, such as HR, marketing, accounting and R&D, as well as the security officer and IT director. In some cases, you’ll also want to include any vendors or partners that have access to your data, as well as members of your PR team, a federal law enforcement official, and a specialized consultant who can help you in case of a breach.

With your team activated, you can create an IR plan to outline your responses to various scenarios, establish a base of operations and name a single point of contact. Your risk profile and IR plan should be living documents. Ideally, you should conduct a vulnerability assessment and penetration test every six months, updating the risk profile and informing the IR team of the results so they are aware of the evolving strategy. If you do things right and have a team and plan in place, you can counter a cybersecurity issue and restore faith in your brand in less than a day.

Even after these steps have been taken, your work is not done. Your organization must maintain constant vigilance and be proactive. The IR team should meet with stakeholders and update its risk profile regularly — at least once a quarter — and as the organization evolves, so should its risk profile.

2 Ibid.

3 CorporateGovernor – Winter 2015

Unprepared organizations pay more for cyberattacks

What to do if you experience a breachPlanning and risk mitigation are important, but they cannot guarantee protection from an attack. If you experience a breach, the first thing to do is notify outside counsel, who will direct your team as they start executing your IR plan. Bring all the stakeholders to the table and keep any relevant parties apprised of your team’s findings.

Your IT services adviser should act quickly to assess and report on the extent of the breach, ideally within 12–18 hours. Your adviser will then perform data analytics on server logs, routers and network operations devices to understand anomalies and determine where the breach originated. They will address whether the breach was internal or external, or possibly even employee-assisted. Perhaps your systems were never actually breached, but hackers were able to get in through a third-party channel. The adviser will collect email from servers, as well as review unstructured data to determine whether your organization did what it could to prevent the breach. Finally, upon completing the investigation, the adviser should work with your IR team to preserve your data for remediation purposes, patch holes or remove malware, and get your organization back online to avoid operation delays.

After the initial crisis, your adviser will work with the in-house IT team to replace any corrupt systems and implement projects to address security weaknesses. You may need litigation support, project management and PR services. Long term, you’ll likely work with IT analysts, industry experts and other specialists to assess processes and make any necessary changes to the IR plan.

Plan now, thank yourself laterIgnoring cybersecurity issues will cost you. Ask yourself what you can do to bolster your internal defenses, and then take steps to establish an IR plan. The immediate benefit will be the peace of mind you’ll get from your actions. Should you experience a breach, the money and brand reputation you will save will be invaluable. So don’t be sorry, be prepared.

ContactsSkip WestfallManaging DirectorForensic and Valuation ServicesT +1 832 476 5000E skip.westfall@us.gt.com

Brad PreberNational Managing Partner Forensic and Valuation ServicesT +1 602 474 3440E brad.preber@us.gt.com

EditorEvangeline Umali HannumE evangeline.umalihannum@us.gt.com

About the newsletterCorporateGovernor is published by Grant Thornton LLP. The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest-quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the world’s leading organizations of independent audit, tax and advisory firms. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity.

Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information about the issues discussed, consult a Grant Thornton LLP client service partner or another qualified professional.

“Grant Thornton” refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL). GTIL and its member firms are not a worldwide partnership. All member firms are individual legal entities separate from GTIL. Services are delivered by the member firms. GTIL does not provide services to clients. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions. Please visit grantthornton.com for details.

© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd

Connect with us

grantthornton.com

@grantthorntonus

linkd.in/grantthorntonus