Yes, you read the title of this blog post correctly. Information loss, while a serious consequence of cyber crime, is not the highest external cost organizations face when they experience a data breach.  

According to the Ponemon Institute, business disruption accounted for 39 percent of total external costs in 2015, which includes costs associated with business process failures and lost employee productivity. Information loss and revenue loss follow at 35 percent and 21 percent, respectively.  

What exactly is business disruption? The definition Ponemon gives is “the economic impact of downtime or unplanned outages that prevent the organization from meeting its data processing requirements.” Essentially, business disruption is a result of a ripple effect. First, an individual contributor is prevented from performing her day-to-day tasks at work. When she isn’t able to complete her job, her manager falls behind. When her manager falls behind, directors and then senior leaders cannot successfully complete their jobs. Ultimately, this all affects the business’ bottom line.    

Since we are spending tens of billions of dollars on cybersecurity – $75 billion in 2015 – and will spend $150 billion by 2020 according to a report put out by Markets and Markets, it’s important to truly understand what is critical to your business before blindly throwing money at the problem.  

First, you must understand that cyber security isn’t solely a technology issue, a people issue, or a process issue. It’s a combination of the three. You can have the most intricate defenses for your technology, but if people don’t know how to use it then it’s all for naught. What complicates matters is that many boards and senior management teams struggle to understand where business risk and technology risk intersect. 

Cybersecurity is a problem that must be addressed at the highest levels of your organization. However, keeping security teams out of the conversation or including them at the last second will truly disrupt business. It isn’t just a “security program”; it’s managing business risks and understanding this in the way you plan and manage your business amidst potential cybersecurity threats. Business models have to take into account the risks, rather than stating “this is the number of attacks and this is how we managed them”, which is the traditional approach to security risk management.  

The good news is that many organizations realize this is a problem and are actively trying to build more productive, transparent relationships with cybersecurity chiefs. If you are in this situation, it may be hard to know what to ask a cybersecurity executive. Don’t just default to sliding the latest front-page newspaper article detailing a high-profile data breach across the boardroom table and asking if you are vulnerable to a similar attack.  

  • The National Association of Corporate Directors shared key questions you can ask cybersecurity chiefs, including:
  • What was our most significant cybersecurity incident in the past quarter? How was it discovered?
  • What was our most significant near miss? How was it discovered?
  • How is the performance of the security team evaluated?
  • Do you have relationships with law enforcement, such as the FBI and Interpol?
  • Do you work with business leaders on due diligence of acquisition targets? With supply chain leaders on security protocols of vendors and other partners?
  • What process is in place to ensure you can escalate serious issues and provide prompt, full disclosure of cybersecurity deficiencies?




Business disruption is costly – having the right mix of people, process, and technology in place is crucial to ensuring you can continue to focus on your bottom line.Visit our website to learn how we can help you respond to any threat with our Incident Response Team, ready to neutralize threats the minute a cyber criminal is detected.

Written by Rob LaMear, CEO, US Cyber Vault

Once a month we share where we will be speaking in the world as well as expert opinions on cyber security, data loss prevention, and information security that we like from the larger community.  Receive our next issue by signing up here.