According to the 2017 Ponemon Institute Study, the average cost of a data breach for an organization in the United States is $7.3 million, or $225.00 per compromised record. How much could a breach cost your organization?
The days when cyber criminals only targeted financial institutions and healthcare organizations are history. To cyber thieves, every business – large and small – is now a bank, a treasure trove of personal information, or a gateway into other organizations they want to damage. The breakneck speed of technological change in the digital world means that cyber criminals no longer need to rationalize their resources, since their techniques and schemes are scalable like never before. In the current digital risk landscape, cyberthreats are like water – taking the path of least resistance – damaging those organizations without existing or effective data breach response plans, ineffective internal controls, adhered-to policies and procedures, fraud awareness and prevention training, and other proven cyber security measures.
For more than a decade, clients have turned to InTune Business Advisors LLC for fraud prevention and investigation. InTune Cyber Security Services are a natural extension of our proven anti-fraud services. We bring our compliance, forensic accounting, and process improvement expertise to teams of IT security specialists, attorneys, crisis managers, law enforcement representatives, and other professionals. The complexity of cyber security demands a holistic approach among all three domains – prevention, detection, and mitigation. As CPAs and CFEs, our role in each is very specific.
Systems only work when we human beings obey the rules of engagement with those systems and processes. You have cyber security policies and procedures in place. How do you know they’re being followed? Did you know that six months before its mega breach, Target installed a $1.6 million malware detection system that worked exactly as planned when intruders began stealing PII? However, the company’s security staff ignored the automatic warnings from the system (Fraud Magazine, November/December 2015). A robust plan and the best of intentions mean nothing if that plan is not implemented and continuously tested for vulnerabilities. Many cyber breaches and intrusions can only be successful if someone – a human being – takes an action they should not have taken or fails to take an action they should have taken. Our audits are designed to test for both of these situations, so that you know where the human gaps are – gaps that we can help you fix.
“We’ve always done it this way.” That’s the answer to an old joke about the scariest six words in business. But it’s no laughing matter if those broken processes are the root cause of a successful cyberattack. When you get that answer, you’ve got a problem. And solving that problem begins with understanding how your people do what they do in the targeted area. As Lean/Six Sigma Black Belts, we are experts in process mapping, statistical analysis and change management. For example, do the reports generated contain the right information? Do the right people see that information in a timely manner to respond? Are team members held accountable if they fail to review such information? These and other questions are what we answer with our process mapping and analysis expertise. When combined with our domain knowledge in Sarbanes-Oxley Section 404 compliance, we deliver tailored solutions that meet your cyber security needs.
According to the Ponemon Institute, having an incident response team with a robust plan can reduce the cost per compromised record by nearly twelve percent. Count on InTune Business Advisors to be a valuable member of your incident response team. Our fraud investigation expertise provides the critical link among IT security professionals, your legal team, and law enforcement.
In addition, we help streamline the customer notification process by creating a contact database of affected customers, and monitoring communications to ensure timely and accurate notification. Too often, victim organizations rush to notify as many customers as they can, which increases costs, not only in terms of communication, but also in terms of excess identity theft protection costs. Moreover, costly additional communications rescinding notifications to non-affected customers raises otherwise avoidable legal issues and can further damage brand credibility.
We have direct and relevant experience converting data from disparate sources into timely and accurate reports that meet deadlines. For example, we helped manage a corporate integrity agreement with the HHS OIG for a multi-national corporation. That program outlined specific data and reporting requirements that the client could not readily meet, given that data was housed in different systems and in different formats. We worked with business unit leaders and IT staff to identify data locations, design datasets and queries, and create business rules for routine updates and downloads. We created comprehensive reporting databases and worked with the general counsel and internal compliance attorneys to ensure timely and accurate reporting.
Our compliance-driven data mining, analysis and reporting skills apply directly to data breach response plans. We address the issues of identifying affected customers, carving out relevant subsets of data, and coordinating with counsel and the communications team for timely and accurate notifications that meet the requirements of ever-changing cyber security laws.
Damage Calculations and Cost Recovery
Our forensic accountants provide a valuable service by quantifying, classifying, and validating all breach notification, investigation, mitigation, and business interruption costs of a data breach, which is necessary for recovery under cyber and other insurance policies.
Get InTune to Strengthen the Human Element of Your Cyber Security
HIPPA regulations mandate that organizations protect their information with technology, physical security, and functional controls. Our decades of auditing and fraud examination experience is the hallmark of our risk assessments, compliance programs and audits, and education of senior leadership on the importance of how fraud prevention and awareness programs can strengthen the human layer of cyber security.