The economics of IT risk and reputation

Transcription

1 Global Technology Services Research Report Risk Management The economics of IT risk and reputation What business continuity and IT security really mean to your organization Findings from the IBM Global Study on the Economic Impact of IT Risk

2 About the study The IBM Global Study on the Economic Impact of IT Risk is the largest independent research study conducted to date to measure the financial and reputational consequences of business disruptions caused by business continuity or IT security failures. The study a follow-on to the 2013 IBM Reputational Risk and IT Study was sponsored by IBM and independently conducted by Ponemon Institute in July Ponemon Institute surveyed 1,069 business continuity specialists and 1,247 IT security practitioners representing 20 industries and 37 countries. Most of the combined group of 2,316 respondents are in the IT organization and report directly to the CIO or head of corporate IT. Respondents at the manager level represent the largest segment (33 percent), followed by directors (23 percent) and supervisors (19 percent). More than half of the respondents are in larger-sized organizations with more than 5,000 full-time equivalent employees. Participation was limited to IT professionals whose job focus is either business continuity, IT security or both, with decision-making or performance-related responsibilities. Although most participants are focused on only one of the IT disciplines, their survey responses were remarkably similar with only a few instances of slight but statistically relevant differences. Therefore, for the purpose of this analysis and report we have combined the data from the two sample groups. Location (37 countries) Company sizes Latin America 10% 241 Asia Pacific 15% 353 North America 49% 1,125 More than 75,000 4% 25,001 to 75,000 9% 10,001 to 25,000 15% Less than 500 8% 500 to 1,000 15% Europe/Middle East 26% 597 5,001 to 10,000 25% 1,001 to 5,000 23% Industries Job titles All others 16% Energy and utilities 5% Banking 19% Contractor 2% Administrative 2% Staff/technician 10% C-level executive 11% Manager 31% Consumer goods 7% Public sector 14% Industrial 9% IT and technology 9% Healthcare 11% Retail 10% Supervisor 19% Director 24% The IBM Global Study on the Economic Impact of IT Risk, independently conducted by Ponemon Institute, gathered information from 2,316 business continuity and IT security professionals from around the world.

3 Risk Management 3 Contents 3 Introduction 4 Quantifying the economic impact of disruptions to business and IT operations 6 The reputational risk and IT connection 8 Understanding the threat landscape 11 Building the case for business continuity and IT security investments 13 Barriers to success 15 Conclusion and observations WHAT WOULD YOU DO? If reputation and brand are important, make IT risk management a priority. Business continuity management supervisor, French consumer products company Introduction When the normal course of operations is disrupted as a result of IT system failures and cyber attacks, the economic and reputational costs can be devastating. Even scant minutes of downtime can be costly. In the context of this paper, IT risk is the risk associated with the use, ownership, operation and influence of IT within an organization. Such risks include human error, system failures, security breaches and disruptions to data center operations such as power failures and natural disasters. Understanding the financial consequences of a disruption can be valuable to determining the resources that should be invested in preventing or minimizing such incidents. It also can be critical in making the business case to the C-suite for elevating the priority of business continuity and IT security activities. In this study, we measure the financial consequences or total cost resulting from an organization s inability to provide an acceptable level of service in the face of faults or challenges to normal operations. We also measure and quantify the reputational consequences the cost of damage to a company s image or brand value as a result of poor controls, failed processes, IT downtime, data theft and compliance violations. The voice of business continuity and IT security In this survey we asked two optional open-ended questions: What steps should your organization or industry take to reduce risks to your organization posed by IT operations? and Looking ahead, what are the changes or trends in the IT landscape that will most increase reputation risk for your organization? The responses we received were thoughtful and thoughtprovoking and a number of common themes emerged. Throughout this paper we will share responses that reflect those common concerns under one of two headings: What would you do? and Where is the risk?

4 4 The economics of IT risk and reputation Quantifying the economic impact of disruptions to business and IT operations A very important objective of this research is to determine the cost to organizations when there is a disruption or compromise to business processes or IT services. Respondents were asked to estimate the costs based on three discrete levels: minor, moderate and substantial. Duration. Minor, moderate and substantial disruptions are classified according the amount of downtime. As shown in Figure 1, the average minor incident is 19.7 minutes, while a substantial incident can be minutes or almost a full eight-hour day of down or idle time. However, some expect that substantial disruptions could last more than two days. Likelihood. According to Figure 2, 69 percent of respondents anticipate that they will experience at least one or more minor disruptions in the next 24 months, while 23 percent say one or more substantial disruptions could occur over the same time period. In other words, respondents believe their organizations are three times more likely to experience a minor incident than a substantial incident. Cost. Respondents were asked to consider all direct cash outlays, direct labor expenditures, indirect labor costs, overhead costs and lost business opportunities for six cost categories: Cost of users idle time and lost productivity because of downtime or system performance delays Cost of forensics to determine the root causes of disruptions or compromise Cost of technical support to restore systems to an operational state Cost associated with reputation and brand damage Revenues lost because of system availability problems Cost associated with compliance or regulatory failure Figure 3 reports the average cost per minute of minor, moderate and substantial disruptions to business and IT operations. The cost per minute of minor disruptions is much higher than the per minute cost of substantial disruptions (US$53,223 versus US$32,229) reflecting that the costs for users idle time, forensics and technical support are spread over fewer minutes of downtime (see also Figure 5). Figure 4 reports the average total costs that could be incurred as a result of disruptions to business or IT operations. Even a minor disruption can cost a business more than US$1 million, and a substantial incident can escalate to more than US$14 million. However, some respondents say costs of a severe incident could climb to more than US$100 million. The estimate is based on the six cost categories described above. From the perspective of economic impact, the most significant threats are human errors, cyber breaches and data loss. It is important to note that while the average cost of a minor incident is low relative to a substantial incident, the high frequency of minor disruptions can mean significant financial consequences for an organization over time.

5 Risk Management 5 Average minutes of down or idle time for minor, moderate and substantial disruptions Likelihood of one or more disruptions to business and IT operations over the next 24 months % 37% % 19.7 Minor Moderate Substantial Minor Moderate Substantial Figure 1. Average minutes of down or idle time for minor, moderate and substantial disruptions Figure 2. Likelihood of one or more disruptions to business and IT operations over the next 24 months Estimated average cost per minute of disruption (down or idle time) Estimated average total cost of disruption to business and IT operations over the next 24 months $14,255,468 $53,210 $38,065 $32,229 $4,257,357 $1,046,454 Minor Moderate Substantial Minor Moderate Substantial Figure 3. Estimated average cost per minute of disruption (down or idle time) Figure 4. Estimated average total cost of disruption to business and IT operations over the next 24 months

6 6 The economics of IT risk and reputation The reputational risk and IT connection If there is any doubt about the importance of an effective business continuity or IT security program, consider the financial impact a disruption can have on reputation and brand value. Figure 5 summarizes the allocation of costs determined by assigning 100 points for minor, moderate and substantial disruptions. As can be seen, the costs associated with reputation and brand damage increase in proportion to the severity of the incident. Accordingly, reputation damages represent only 2 points for minor versus 37 points for substantial disruptions to business and IT operations. The top three costs for all three levels of disruptions (combined) are (1) cost of users idle time, (2) cost of forensics and (3) cost of technical support. It is interesting to note that while leadership is believed to be most concerned about revenue loss because of system availability problems, it ranks near the bottom of allocated cost in the eyes of IT professionals. WHAT WOULD YOU DO? We should change orientation from reactive to proactive and have a more mature risk management strategy in place. IT security director, German technology company Allocation of total costs Cost of users' idle time and lost productivity because of downtime or system performance delays Cost of forensics to determine the root causes of disruptions Cost of technical support to restore systems to an operational state Cost associated with reputation and brand damage Revenues lost because of system availability problems Cost associated with compliance or regulatory failure Minor Moderate Substantial Figure 5. For each of the three levels of disruption (minor, moderate, and substantial), respondents were asked to use a 100-point scale to apportion total cost across these six cost categories.

7 Risk Management 7 Drawing from the minor, moderate and substantial cost allocations indicated previously, we estimate the reputation and brand-related damages that result from all three levels of disruption. Figure 6 shows that reputational cost associated with substantial disruption is almost US$5.3 million. In contrast, reputational costs associated with minor disruptions are relatively negligible. Reputational threats: perception versus reality Not so clear cut is the source of IT threats to reputation. We asked recipients to rank seven common threats in terms of reputational impact on their organizations. As Figure 7 shows, data breach and disaster top the rankings of threats respondents think pose the greatest reputational risk, with IT system failure placing third and human error sixth. Estimated reputation-related costs resulting from disruption to business or IT operations over the next 24 months $5,274,523 Common threats ranked in terms of reputational impact Data breach/data theft 5.5 Natural or manmade disasters IT system failure $20,929 $468,309 Minor Moderate Substantial Figure 6. Estimated reputation-related costs resulting from disruption to business or IT operations over the next 24 months Data loss (backup/ restore failure) Cyber security breach/ advanced persistent threats Human error Third-party partner security breach or system failure WHAT WOULD YOU DO? Develop a coherent strategy that aligns information risk with enterprise risk. Figure 7. Common threats ranked in terms of reputational impact Business continuity director, Canadian financial services company

8 8 The economics of IT risk and reputation When respondents were asked whether their organizations had actually experienced damages to reputation or brand value and from what cause, the threat ranking is quite different. As Figure 8 shows, the most significant threats to reputation based on experience over the last two years are incidents that involve IT system failures and human errors, followed by cyber security breaches. Natural or manmade disasters are far less likely to cause reputation or brand damages. Threats that impact reputation and brand value experienced over the past 24 months IT system failure Human error Cyber security breach Data loss from failed backup/restore Natural or manmade disasters Third-party security breach or IT system failure 23% 19% 39% 46% 57% Figure 8. Threats that caused impact to reputation and brand value over the past 24 months (percentage of yes response) 66% Understanding the threat landscape Our survey also probed the threat landscape more broadly to determine how closely what IT practitioners think will happen matches their actual experience. Overall, respondent perceptions about the likelihood of threats occurring are largely consistent with reported instances of events with human error taking the top spot in terms of likelihood, number of disruptions experienced and projected financial impact. Figure 9 shows how respondents ranked seven common threats in terms of the likelihood of occurrence in their organizations. While these business continuity and IT security professionals rank human error as the leading potential threat, IT system failure, data breach and third-party partner security breach or system failure are almost equal leading contenders. Common threats ranked in terms of likelihood of occurrence Human error IT system failure Data breach/data theft Third-party partner security breach or system failure Cyber security breach/ advanced persistent threats Data loss (backup/ restore failure) Natural or manmade disasters Figure 9. Common threats ranked in terms of likelihood of occurrence

9 Risk Management 9 Overall, IT professionals are very accurate when it comes to understanding the general threat landscape. According to Figure 10, respondents report that in the past two years they have experienced on average more than nine business disruptions due to human error coinciding with the ranking of the leading perceived threat to business and IT operations and IT security. In fact, actual occurrence of incidents caused by human error far exceeds projections. Data loss due to failed backup/restore is also more common than projected and is slightly ahead of cyber security breaches. Average number of actual disruptions over the past 24 months caused by six common threats Human error IT system failure Third-party partner security breach or system failure Data loss from failed backup/restore Cyber security breach Natural or manmade disasters When evaluating threats in terms of potential economic impact on an organization, Figure 11 shows that respondents are consistent in their ranking of human error as the leading threat. However, participants believe cyber security breaches and data theft pose a much greater risk of economic impact than reputational impact (see also Figure 7). Common threats ranked in terms of economic impact Human error Cyber security breach/ advanced persistent threats Data breach/data theft Data loss (backup/ restore failure) IT system failure Third-party partner security breach or system failure Natural or manmade disasters Figure 11. Common threats ranked in terms of economic impact 4.7 Figure 10. Average number of actual disruptions over the past 24 months caused by six common threats

10 10 The economics of IT risk and reputation The role of third-party partners: a closer look Just how much of a threat do vendors and third parties pose to respondents companies? According to 41 (21+20) percent of respondents (Figure 12), vendor-related mishaps represent a main source of disruption to business and IT operations experienced over the past 24 months. Percentage of disruptions to business and IT operations caused by third parties over the past 24 months Zero <25% 26 to 50% 51 to 75% 76 to 100% 1% 21% 20% 21% 37% One reason may be standards. According to Figure 13, not all vendors and other third parties are required to comply with the same business continuity and IT security requirements that respondents companies adhere to. Thirty-one percent of respondents say their companies do not require vendors and other third parties to comply with their business continuity requirements, and 40 percent say their companies do not require partner compliance with their own IT security standards. Do vendors and other third parties comply with the same requirements deployed within your organization? Yes No Unsure 11% 17% 31% 40% Business continuity requirements 58% 42% IT security requirements Figure 12. Percentage of disruptions to business and IT operations caused by third parties over the past 24 months Figure 13. Do vendors and other third parties comply with the same requirements deployed within your organization?

11 Risk Management 11 Building the case for business continuity and IT security investments Business continuity and IT security professionals strongly believe that their disciplines play an important role in their organizations success. Figure 14 reveals an unanticipated finding of this research: fully 89 percent of respondents say that protecting intellectual property is a very important objective of their IT role. We believe this reflects the increasingly digital nature of intellectual property itself and the vulnerability of intellectual property to cyber attack or loss due to IT failures. Maximizing employee productivity (72 percent), minimizing regulatory or legal non-compliance (70 percent) and enhancing brand value and reputation round out the top four very important objectives advanced by business continuity and IT security activities. Based on previous IBM studies, the fact that in 2013 fully 65 percent of respondents rate enhancing brand value as very important confirms that recognition of the relationship between IT risk and reputation risk is continuing to grow among IT professionals. WHERE IS THE RISK? What frightens me is the increased use of social media that can expose corporate IP and damage reputations. Business objectives advanced by business continuity and IT security management activities Protecting intellectual property Maximizing employee productivity Minimizing non-compliance with laws Enhancing brand value and reputation Expanding into new global markets Minimizing customer defection Maximizing customer acquisition Increasing revenues and positive cash flow 14% 9% 21% 48% 72% 70% 65% 89% Figure 14. Business objectives advanced by business continuity and IT security management activities IT security supervisor, United States professional services company

12 12 The economics of IT risk and reputation The potential damage to reputation and brand value is also now recognized as an incentive for organizations to fund business continuity and IT security programs. Figure 15 reveals that preventing productivity losses, system downtime and compliance failures and reputation damages are the factors that contribute most to securing budget commitments. Factors that contribute the most to securing budget commitments for business continuity and IT security Productivity loss System or application downtime Compliance/regulatory failure Reputation damage Information loss or theft Performance degradation 17% 22% 37% 34% 30% 44% Figure 15. Factors that contribute the most to securing budget commitments for business continuity and IT security WHERE IS THE RISK? Elevating IT risk management issues requires C-suite support, and this is difficult to accomplish. IT security manager, Argentinean services company While respondents recognize the importance of minimizing IT risks because of potential threats to reputation and brand, they don t believe their leaders hold that same perception. Figure 16 reports only 32 percent of respondents say their company s leaders recognize that IT risks affect brand image and 35 percent say it impacts reputation. Half (50 percent) of respondents believe their organization s leaders do not recognize that IT risks affect revenues. Organizational leaders strongly agree or agree that disruptions to business and IT operations have economic and reputational impact Leaders recognize that IT risks affect revenues Leaders recognize that IT risks affect reputation Leaders recognize that IT risks affect brand image 35% 32% 50% Figure 16. Do organizational leaders recognize the economic and reputational impact of disruption to business and IT operations? (strongly agree and agree responses combined)

13 Risk Management 13 Barriers to success Respondents say that the most significant barriers to achieving highly effective business continuity and IT security management programs are funding deficits, emergence of disruptive technologies, lack of knowledgeable staff and business process complexity (Figure 17). Barriers to achieving a highly effective business continuity or IT security program Lack of funding Disruptive technologies (mobility, cloud) Lack of expert or knowledgeable staff Complexity of business processes Insufficient planning and preparedness Silos and turf thinking 19% 17% 17% 28% 32% 37% While planning, preparedness, silos and territorial thinking were only cited by 17 percent of respondents, answers to two other questions suggest that these factors may indeed play a stronger role in the success or failure of business continuity and IT security programs. According to Figure 18, a majority of respondents state their companies do not have a formal strategy for business continuity or IT security management across the enterprise (and this impacts the effectiveness of these IT operations). Organizational approach to business continuity and IT security Formal strategy applied consistently Formal strategy, but is not applied consistently Informal or "ad hoc" strategy We don't have a strategy 17% 27% 26% 31% Figure 18. Organizational approach to business continuity and IT security strategy Figure 17. Barriers to achieving a highly effective business continuity or IT security program

14 14 The economics of IT risk and reputation The results summarized in Figure 19 indicate respondents are unable to achieve a high level of collaboration. The fact that 44 percent believe collaboration between their function and other business or IT functions is either poor or non-existent suggests that silos and turf thinking play a stronger role in hindering success than IT professionals are willing to recognize. Collaboration between business continuity, IT security and other business or IT functions Collaboration is excellent Collaboration is adequate, but can be improved Collaboration is poor or non-existent Cannot determine 2% 24% 31% 44% Our research findings also suggest that there is no clear best practice when it comes to overall responsibility for preventing disruptions to IT operations. The most likely candidate, the chief information officer (CIO), was named by only 28 percent of the respondents (Figure 20). The next largest segment, business unit leader, is outside of the IT organization all together, and the third ranked choice is no one person at 11 percent. This fragmentation of responsibility may also be a barrier to success. Overall responsibility for directing efforts to ensure that IT operations are not disrupted Chief information officer (CIO) Business unit leader Data center manager 10% 20% 28% Figure 19. Degree of collaboration between business continuity, IT security and other business or IT functions Business continuity manager Disaster recovery manager 7% 6% Chief information security officer (CISO) No one person has overall responsibility 5% 11% Figure 20. Ownership of overall responsibility for directing efforts to ensure that IT operations are not disrupted

15 Risk Management 15 Conclusion and observations The economic impact of business continuity and IT security failures can be significant, ranging on average from US$1 million for a minor disruption lasting 20 minutes to more than US$14M for a substantial disruption lasting close to 8 hours. Minor disruptions are more likely to happen than substantial ones yet the price tag for even a single minor event is liable to outweigh the cost of prevention. Business continuity and IT security professionals recognize that the costs associated with reputation and brand damage resulting from substantial events is also significant. On average, they estimate that reputation-related costs alone will exceed US$5 million over the next 24 months. While 65 percent of survey respondents think business continuity and IT security management can enhance brand value and reputation, less than 35 percent think that upper management shares this view. This means business continuity and IT security professionals need to build a stronger business case for investments in IT controls that can help prevent downtime, data loss, cyber security breaches and the resulting loss of productivity and damage to reputation. One place to start is with a rigorous assessment of the actual root causes at work in the organization, then connecting spend with potential financial consequences that can be averted. This approach can provide a foundation for establishing business-related metrics to measure effectiveness and provide further budget justification. Putting IT risk prevention into the business language of cost-benefit analysis can not only help elevate the discussion but also help educate leadership on the sources of risk. This is particularly important given that the greatest single cause of both disruption and economic impact is human error which is not an issue that IT alone can address. While IT can invest in processes such as change management or automated data backup that can help reduce the opportunity for human error, educating end users and developing a security-aware and -compliant culture requires an enterprise-wide effort with topdown leadership. For more information To learn more about how IBM can help you protect your organization s reputation by strengthening IT risk management, contact your IBM representative or IBM Business Partner, or visit the following website: ibm.com/services/riskstudy Join the business continuity conversation Join the IT security conversation

16 Limitations There are inherent limitations to survey research that need to be carefully considered before drawing inferences from the presented findings. The following items are specific limitations that are germane to most survey-based research studies. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of business continuity management, IT and IT security practitioners in numerous countries, resulting in a large number of usable returned responses. Despite nonresponse tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the survey. Sampling-frame bias: The accuracy of survey results is dependent upon the degree to which our sampling frames are representative of individuals who are business continuity management, IT or IT security practitioners within the sample of countries selected. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from respondents. While certain checks and balances were incorporated into our survey evaluation process including sanity checks, there is always the possibility that some responders did not provide truthful responses. Copyright IBM Corporation 2013 IBM Corporation IBM Global Technology Services Route 100 Somers, NY Produced in the United States of America September 2013 IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at Copyright and trademark information at ibm.com/legal/copytrade.shtml The content in this document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. Please Recycle RLW03022-USEN-00