On average companies don’t find out about breaches until 150 days later
The number and complexity of cyber-security regulations can be problematic for companies as cyber-attacks become more complex and occur more often, and organizations need policies in place and an understanding of standards in order to operate their risk-management programs. It is often difficult, however, to get a clear answer on whether an organization’s cyber-security practices are reasonable, says Christy Weisner, director of Thomson Reuters’ legal managed services.
‘There is no clear industry standard for cyber-security preparedness,’ she explains. ‘While certain federal agencies have begun to issue guidelines for what they consider reasonable practices (notably the New York State Department of Financial Services), it is difficult to know whether an organization’s current policies will be considered reasonable after a breach has occurred.’
It can also be challenging for companies to decide which kinds of risks they face and determine the cost for each. ‘Only a sophisticated analysis of an organization’s potential losses will help leadership understand the resources necessary to set up an appropriate cyber-security program,’ says Weisner.
‘On average it takes a company 150 days to discover that an intruder has penetrated its systems,’ says Brian Finch, partner and co-chairman of Pillsbury’s privacy, data and cyber-security practice. ‘Protections are required to rapidly identify threats that have entered a system and a response program is needed to prevent the infection from spreading throughout the whole system.’ Even after a company discovers a threat in its system, it can remain on the system several months before the threat is contained or eliminated.
A holistic approach to identify potential vulnerabilities and a comprehensive program using a team approach is one way to deal with cyber-security issues. ‘Cyber-threats and the regulations created to counter them have grown incredibly complex,’ says Finch. ‘With that in mind, it is helpful to bring multiple perspectives and skill sets together in order to attack the problem.
‘No organization is fully capable of handling a major cyber-security incident or program by itself. The US government relies on an army of technology and service providers to supplement its robust internal cyber-security capabilities, so it would be folly for any private company to assume it can manage cyber-risks on its own.’