Majority of Organizations Don’t Have Risk Management Plan

About one in five organizations within the banking and insurance industry feel confident they can detect a data breach, yet, the vast majority of their customers, 83 percent, trust these same companies to have high standards for cybersecurity practices, according to a survey by Capgemini. Capgemini Global Cyber Security Chief Operating Officer Mike Turner was quoted in eSecurity Planet, stating:

Consumers implicitly trust banks with their money and data, but this faith is rooted in a mistaken belief their provider can be 100 percent secure. While banks are evolving to combat the sophisticated threat cyber criminals pose, public understanding of the threats and challenges remains low.

If I’m a bank or insurance executive, I’m sighing with relief that my customers trust me and my security efforts so much. It means that they trust the company’s brand, and according to a recent Ponemon Institute study, in partnership with RiskVision, the majority of companies actually fear the loss of brand reputation over data breaches due to lack of risk management strategies.

Enterprise understands that serious cybersecurity are threats lurking – how can you not in today’s landscape? Yet, 76 percent of these organizations reported that they either don’t have a clearly defined risk management strategy in place or the one that they have isn’t applicable to the entire enterprise. At the same time, two-thirds of these companies are more worried about their brand taking a reputation hit rather than the actual data breach. I would think it would be the other way around – that they worry about the data breach more because of the damage it can do to the brand – but this isn’t the case. In a formal statement, Larry Ponemon, chairman and founder of the Ponemon Institute, explained why:

While security breaches are costly to detect and remediate, the expenses are finite. On the other hand, expenses around compliance, customer attrition and negative public relations incurred due to the resulting loss of brand and reputation are ongoing, sometimes dragged out for months or even years, and are much more difficult, if not almost impossible to predict or gauge.

All right, I can understand that rationale. However, it doesn’t explain why half of these organizations surveyed don’t have a formal budget for risk management strategies or 69 percent don’t have metrics for determining risk intelligence effectiveness. But it isn’t all bad, as a Security Intelligence article pointed out:

The good news, according to Dark Reading, is that executives are waking up to the need for effective measurement. Just 21 percent of companies analyzed risk in real-time 18 months ago. Today, that figure stands at 32 percent. Gartner also noted an increased demand for risk management technologies.

They understand the need. Now is the time to step and do something to earn that consumer trust.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba