Three recent studies provide a great reminder of the threats of data breach—and the role workers and IT departments play in either maintaining a company’s defense or letting malware storm the gates.
In its 2014 Data Breach Investigations Report, Verizon identified nine patterns that were responsible for 92% of the confirmed data breaches in 2013. These include: point of sale intrusions, web application attacks, insider misuse, physical theft/loss, miscellaneous errors, crimeware, card skimmers, denial of service attacks, and cyber-espionage. They have also identified the breakdown of these patterns in various industries, highlighting some of the greatest sources of cyber risk for your business:
A growing number of public companies with complacent SOX programs are facing restatement and penalties from improper disclosures, improper revenue recognition and improper expense recognition. A fear of non-compliance with SOX and COSO 2013 has increased the risk that companies will adopt narrowly focused programs that attempt to mitigate the immediate regulatory compliance risks while failing to address the true intent of these regulations. It is a classic case of complying with the “letter of the law” and not its intent. The solution is for internal audit to lead through risk management assurance.
SOX compliance is now a routine process for most companies. How can we then explain the rapidly growing number of restatements and recognition complaints when companies certify they are in compliance?
I agree with Norman Marks, who believes that “complacency and denial” is being perpetuated by routine and checklist-like reviews. Norman recently wrote about his favorite role that internal audit (IA) plays in an organization. He describes that role as a fighter against “complacency and denial” that can be perpetuated by routine and checklist-like COSO [and SOX] reviews where it easy to utter “we have completed our quarterly review of the top risks and believe they are effectively managed.” He compares this delusional form of risk management to an “ostrich sticking his head in the sand while the battle rages around him and saying I looked up an hour ago.” Read Norman’s Blog on CAE Risk Intelligence.
The 2014 BCI Middle East Awards were presented on 7th May as part of the integral BCI Middle East Conference in Dubai.
The winners were:
Business Continuity Consultant of the Year
Thomas Keegan, MBCI
Business Continuity Manager of the Year
Abdulrahman Alonaizan, MBCI
Business Continuity Team of the Year
BCM Newcomer of the Year
Yasmine Elhamouly, AMBCI
Business Continuity Provider of the Year (Service)
Deloitte & Touche
Most Effective Recovery of the Year
Etihad Etisalat - Mobily
Industry Personality of the Year
Ahmed Riad Ali, MBCI
Regulatory and legislative change has assumed the prime position as the leading risk for Australian and New Zealand businesses in 2013/2014, followed by concern regarding deteriorating local economic conditions and the impact of people risk.
These are the major findings of Aon’s 12th annual Australasian Risk Survey, which provides a snapshot of the risk management practices of 380 businesses operating in 15 key industry sectors, including 23 of the ASX top 100 Australian companies.
According to the survey, the top ten risks to Australian and New Zealand businesses are:
The number seven crops up in many contexts: the Seven Wonders of the World, the seven dwarfs, and now the seven levels of cyber security. Let’s start with the different levels of threats posed by hackers. In order of increasing severity, we have: script kiddies (hacking for fun); the hacking group (often the first level of threat for SMBs); hacktivists (politically/socially motivated); black hat professionals (expert coders); organised cyber-criminals; nation states (NSA-style); and finally, the automated malicious attack tools that can infect huge numbers of organisations. With these seven levels of threats, what are the solutions?
Today we published a new Forrester Wave: Social Risk & Compliance (SRC) Solutions, Q2 2014. This report evaluates 10 vendors emerging to help organizations enable companywide use of social media while providing the necessary controls and oversight to mitigate associated risks and enforce compliance.
Use of social media today is rampant.
It’s no longer just your marketing team that uses social media for business purposes. Employees across the entire organization use social media for personal and professional reasons, leveraging social to drive real business for your company. The opportunities to enhance your brand, deepen customer relationships, and glean new customer insights are all too valuable to ignore -- but the risks are real too.
Keynote speaker and facilitator at this year’s BCI Executive Forum, Dr James Bellini sets the scene and identifies some of the major issues that will face business continuity professionals in the years ahead:
As a futurologist of many years’ standing I am regularly confronted with requests to ‘predict’ the outcome of some activity or development in the world of tomorrow. On occasion I’m even asked the name of the winner of an important upcoming horse race, or the score line of a major soccer match a few weeks hence. If only my crystal ball were that magical ... but it also reveals a basic misunderstanding of what futurology is all about.
I see my task as threefold: to apply a reality check on popular perceptions of the world around us, to create a framework for examining how ‘the future’ might unfold and to identify one or two possible future events or issues that would, if they actually occurred, pose very serious challenges for either business, government or the wider society – or all of these together.
Generally speaking, I think internal auditors do a good job of assessing risks and developing risk-based audit plans. But there is always a danger that unfamiliar risks may be overlooked or that rapidly emerging risks will render even the best-crafted audit plans obsolete. If you typically undertake risk assessments only once or twice a year, you may not have incorporated several risks that have suddenly burst onto the radar of management or the Board of your organization.
Here are some areas that should be in our risk crosshairs in 2014:
A new study, “The Valuation Implications of Enterprise Risk Management Maturity,” released by the Journal of Risk and Insurance, has found that organizations exhibiting mature risk management practices realize a value growth potential of up to 25%.
The survey is the first wholly independent research project that confirms the value connection of mature enterprise risk management practices in organizations. Using data from the RIMS Risk Maturity Model (RMM) gathered from 2006 to 2011, Mark Farrell, the paper’s author and the actuarial science and risk management program directorat Queens University Management School of Belfast (QUMS) and Dr. Ronan Gallagher of the University of Edinburgh Business School, provided evidence through this research that firms that have reached mature levels of enterprise risk management qualities exhibit a higher firm value. The broad data set encompassed publicly-traded organizations from a variety of industries. Nearly half the data tabulated by the researchers were submitted by RIMS members.
The Ponemon Institute has published its ninth annual Cost of Data Breach Study, which was sponsored by IBM.
According to the benchmark study of 314 companies spanning 10 countries, the average consolidated total cost of a data breach increased 15 percent in the last year to $3.5 million. The study also found that the cost incurred for each lost or stolen record containing sensitive and confidential information increased more than nine percent to a consolidated average of $145.
Interestingly, the research was able to provide quantified evidence for the advantages of linking information security management and business continuity management programs, finding that the involvement of business continuity management reduced the cost of a data breach by an average of almost $9 per record.