In today’s business environment, implementation of a cyber security program is a necessity. Many people correlate cyber security with an insurance policy, which is incorrect. Implementing a cyber security program is better related to risk management. Insurance provides compensation after an incident has happened. The idea of risk management prevents or minimizes the incident occurrence.
A cyber security program has many facets. In most cases, adding a firewall to a computer system does not constitute implementation of a cyber security program. The many facets of cyber security include addition of hardware, installation of security software, and training personnel in cyber security policies. Implementing the program may have significant costs. Minimizing the cost and meeting the appropriate cyber security requirements is the challenge.
Decisions for many facility or company improvements are based on Return on Investment (ROI) analysis to implement changes. Determining the ROI should be done based on factors associated with the risk of a cyber security incident. The impact of a cyber security incident could have a significant negative perception, impact the reputation, and potentially cause a financial impact to the company or facility. Examples of the negative impact have been seen from recent cyber security attacks on Target, Marshalls, and the Stuxnet attack. If the company or facility is perceived as a risk to personal financial information, environmental contamination of the surrounding area, potential of significant explosion by mixing inappropriate materials, or general safety, the company or facility will sustain a financial impact. This impact may be from fines or penalties and can also be from additional costs associated with a hazardous facility or company. The perception of risk from a cyber security intrusion may affect stock prices, personnel wages, insurance costs, and future potential for plant or company improvements or expansion.
When planning to implement or improve a cyber security program, the following criteria needs determined:
- Identify the regulatory requirements, both future and pending
- Establish current system status and planed upgrades
- Assess the risk associated with implementation of various levels of the cyber security program
- Determine current personnel capabilities and any need for external support
Cyber security implementation should reduce and minimize the risk of a cyber security attack. A cyber security program should not be thought of as insurance. Insurance compensates after the incident. Once the incident has occurred, damage to the facility or company reputation and perception will continue. The intent of insurance does not provide restoration to a loss of reputation or perception. A determination of the cost to the company or facility’s loss of reputation should be a significant factor in determining the cost of implementing a rigorous cyber security program.
Special thanks to Bernie Pella (firstname.lastname@example.org) for contributing to this article.