A strategic approach to cybersecurity: as cybercrime grows faster than companies can defend against, it's time for a serious discussion on cybersecurity. Though many are calling for federal standards and regulations--which may be a matter of time--in their absence, organizations should transform how they think about cybersecurity.

• Author: Bissell, Kelly

Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine), in a recent New York Times op-ed, called on Congress to pass bipartisan cybersecurity legislation after two failed attempts. Likening the pending danger of cyberat-tacks to a looming Pearl Harbor, the senators maintain that absent mandatory cybersecurity requirements, "the day on which those cyberweapons strike will be another 'date that will live in infamy,' because we knew it was coming and didn't come together to stop it."

The senators are correct. Cybercrimes--against government facilities, public utilities and private enterprises--are on the rise at an alarming rate and represent a significant strategic threat to the security of the nation, its economy and the welfare of its businesses.

According to the just-released 2012 Deloitte-National Association of State Chief Information Officers (NASCIO) Cyber-security Study, significant cybersecurity threats against U.S. government systems alone rose more than 680 percent between 2006 and 2011. This past year smartphones became the preferred target for cybercriminals and the security firm Kaspersky Lab identified more than 35,000 malicious programs in 2012, six times more than the year earlier.

Mounting threats like these are why federal standards and regulations are ever more likely, despite the fact that the proposed bill backed by Sens. Lieberman and Collins died at the end of the last congressional session. Nevertheless, though legislation may be a matter of time, in its absence companies should transform how they think about cybersecurity.

The Growth of Cybercrime

Over the past 10 years, the criminal cyberworld has experienced a large shift from an individual, independent focus to a virtual, coordinated, collaborative model that thrives on innovation and data sharing. A malware ecosystem has emerged that supports this wave of cybercrime. Any potential hacker has an available network of resources from which to choose, and many have specialties.

The cost of fraud tools available to cybercriminals continues to fall. For example, Information Week reported that one package, SpyEyeTrojan, is now available free or at a fraction of its original $10,000 price tag. Groups engaging in cybercrime include a variety of nation-states, organized crime, individual hackers, corporate spies, foreign government agencies and others. And they have been successful.

The personal information of 94 million Americans has been exposed to potential identity theft through data breaches at government agencies since 2009. In 2011 alone, an estimated 71 million people in the United States were victims of cyberattacks costing them about $21 billion in damages, reports CNET.com.

Though many companies have made considerable strides to address cybersecurity issues in a strategic fashion, many others still do not have an adequate strategy or plan. Consider these responses as detailed in the recently released 2013 Deloitte Touche Tohmatsu Limited (DTTL) Technology, Media and Telecommunications Global Security Study:

* Less than half of survey respondents reported having a response plan in place to address a security breach and only 30 percent believe third-party suppliers are shouldering enough responsibility for cybersecurity.

* Nearly three-quarters (74 percent) of the 121 executives surveyed rate security breaches at third-party suppliers among the top three threats followed by denial of service attacks and employee errors and omissions.

* Other major threats identified by respondents include advanced persistent threats (64 percent) and hacktivism (63 percent), new to this survey, which combines social or political activism with hacking.

* While more than half of those surveyed gather general intelligence information, only 39 percent gather information about targeted attacks specific to their organization, industry, brand or customers.

The risks of cyberattacks may deliver a serious blow to a company's brand and reputation, along with potentially significant consequences. Typically, they include:

* Increased cybersecurity protection costs for people, processes and technologies to increase information security in the organization;

* Lost revenues from unauthorized use of proprietary information or the failure to retain or attract customers;

* Litigation or pending litigation arising from a cyberattack; and

* Reputational damage and remediation costs that adversely affect customer and investor confidence.

The DTTL Technology, Media and Telecommunications Global Security Survey reported that the median annualized cybercrime-related cost for a company is $5.9 million.

So what does this mean for the C-suite, boards and financial executives and what do they need to do about it? First, the executives can become knowledgeable about what cyberat-tacks and cybersecurity are, as well as:

* Evolving cybercrime trends and regulations;

* Things to look for relative to cyberinsurance;

* The role of the C-suite and board in advancing cybersecurity;

* How to assess a specific company's risk; and

* Action steps worth considering.

...