As each new development in mobile technology, cloud computing and social media further reshapes the technology landscape, cyber security is becoming an increasing complex challenge for organizations to manage.

What were sufficient computer security and data protection strategies only a few years ago – such as IT perimeter security, regular virus scans, and access management – are no longer enough. As organizations struggle to implement better security measures, many are falling victim to cyber attacks. A recent survey by the Ponemon Institute found that the number of successful attacks on organizations more than doubled between 2010 and 2012 and the financial impact of the attacks increased by almost 40 percent. Organizations also risk reputational damage as a result of a cyber attack if their customers, suppliers and others lose confidence in the organization's ability to ensure the security and confidentiality of information they have provided to it.

Today, organizations of all types and in all industries are potential victims of cyber attacks. Some attacks are aimed at committing financial fraud. In other cases, the motivation may be social or political where "hacktivists" target organizations they believe take an unethical stance on certain issues. Regardless of the reasons, such attacks disrupt the normal course of business and cause significant financial and reputational harm. These attacks can also cause significant harm to the individuals whose information may be subject to the attack. 

Cyber attacks can be launched by anyone from individual hackers, activist groups, and business or industry insiders to criminal networks and foreign governments. The nature of these attacks may include denial of service, defacing web sites or exposing personally identifiable information or other critical strategic business intelligence outside of the organization. What most of these attackers have in common is that they are well-organized and share both information and malicious software among themselves to help facilitate cyber attacks.

A growing number of cyber attacks target individuals, getting them to perform a specific action, such as clicking on a link or attachment which provides the attacker with information, a point of entry into the organization's systems, or introduces malicious software into an organization's network. Preferred targets are senior executives who have access to strategic or highly confidential information and people with privileged access who know the passwords that attackers need to gain access to highly sensitive systems. Attackers often use social media to obtain information about their targets, building a profile on these individuals so that the attackers can create bogus messages that appear to be legitimate communications either from the organization or people known to the target.

Faced with well-funded, well-organized cyber attackers, organizations need to protect themselves by being proactive in gathering their own cyber intelligence. What an organization says about itself, the information that it makes available to its supply chain or other partners, and what it discloses to the public at large, may create a threat vector. Individual pieces of information may appear harmless, but collectively they could provide sufficient insights into the organization and its operations to be useful to a cyber attacker. This means organization must also keep up to date on the threats faced by their industry, know what the underground community is saying specifically about their organization, and keep their exposure within acceptable limits.

An effective cyber security program should be overseen by the board of directors as part of its oversight of the organization's risk management activities.  As with other risk programs, the board should set its expectations and accountability for management and ensure there are adequate resources, funding and focus for its cyber security activities.

Note: Ponemon Institute ( is a Michigan-based organization that conducts independent research on privacy, data protection, and information security policy. 

Authoritative guidance
Thought leadership