Developing an Effective Cybersecurity Strategy for Your CRE Firm
It may be easy to get lulled into a false sense of security. But we live in a world where privacy cannot be taken for granted. The internet and technology are required aspects of doing business today. That means it’s more important now than ever before to take the appropriate measures to develop a cybersecurity strategy for your CRE firm – and one that will effectively protect you, your clients, and your assets.
Why You Need a Strategy: The Cost of Cyber Risk
Cybersecurity threats can result in substantial legal and financial risks to the firm, not to mention the damage it can do to an organization’s reputation, business functions, company relationships, and employee morale.
Read ahead for a few reasons you will definitely want to consider creating a cybersecurity strategy for your CRE firm.
Loss of Money
The annual cost of data breaches through cybercrime is expected to reach $6 trillion globally by 2021, according to Cybercrime Magazine. The global average cost per incident now stands at $3.6 million, but the cost is higher in the US, at $7.3 million. On average, it costs $21,155 per day to resolve a cyber attack (but only $38 per hour to launch!). Depending on the situation, these costs could include fines from a variety of regulatory agencies, compensation and settlements to victims, legal fees, investment in new security technologies, and investment in cybersecurity training for employees, not to mention the costs associated with lost business.
Loss of Reputation
Commercial real estate is an industry built on trust and relationships. A cyber attack can break that bond and cause long-term uncertainty among potential investors, affecting the potential to conduct business with both current and future investors. Reputation is also hard to restore, once a firm’s image has been tarnished. Brand is one of the least easily fixed assets, and 76% of US consumers would move away from companies with a high record of data breaches.
Loss of Data
Data leakage or loss is the number one concern for firms and key decision makers, and information loss represents the largest cost component in a cyber attack, accounting for almost half of the costs. This worry is particularly valid, as 94% of companies that undergo a catastrophic data loss will be out of business within 2 years.
Business Disruption
Regardless of the extent or size of a cyber attack, it is sure to disrupt general business operations, which will affect your bottom line in the long run. Business disruption accounts for almost 40% of the costs of a cyber attack, which includes costs associated with broken business processes and lost employee productivity. If an attack occurs during busy season, the cost could affect over half of the company’s annual income. Further, it takes 191 days on average to identify a cyber crime and another 66 days to contain it – that’s several months of unproductive time.
What You Can Do: Managing and Mitigating Risk
When and if a cyber incident does occur, how you respond can go a long way in affecting costs. For example, Equifax failed to take appropriate action following their data breach, delaying disclosure, misdirecting potential victims, and failing to resolve vulnerabilities. These actions (or lack thereof) cost them the data that was initially stolen, accrued more costs in the form of legal fees and settlements / compensation for the victims, and negatively impacted their brand reputation.
One in three business leaders rate cyber risk as the 2nd highest obstacle to company growth over the next three years, according to Deloitte. But we need to go beyond awareness and take action. One of the best ways to mitigate risk is to plan ahead, be able to recognize a threat, and have a strategy in place should one occur. As PwC says, “Getting the response right actually relies on a proactive effort: planning ahead, being aware of the risks, building the response structures, and exercising that capability”. Unfortunately, only 41% of firms believe they have the tools and resources to identify, analyze, and mitigate external threats.
Here are a few basic steps to get you started:
- Make preventing cyber risk a strategic issue. Decide who is responsible for the initiative and who will own it should a cyber attack occur. Also identify which specific resources and assets you need to protect.
- Establish policies and procedures. Develop a plan for preventing risk, as well as for mitigating risk in the event of a cyber threat. Who do you need to alert? What steps need to be taken to resolve the issue? Which processes need to be updated or adjusted? What external communications are necessary?
- Educate and train the team. Make sure your employees understand what cyber threats and attacks actually are and what activities constitute cyber risk. Can they recognize signs of social engineering? Do they know how to prevent attacks? Do they know who to report any issues or concerns to? Remember – not all cyber threats are intentional or external!
- Evaluate partners and vendors. These people and organizations may have access to your company’s sensitive information. You want to partner with vendors who are as concerned about data security as you are. Make sure that they have their own policies and procedures in place to prevent cyber threats.
Taking these steps is a good preventative measure but also helps the company react more effectively if a cyber event does occur. Having the right plan in place can reduce the amount of downtime, as well as decrease the cost of the incident by up to $19 per record.
Ready to get started? Download this free checklist: 7 Steps to Stronger Data Security for CRE Firms