The economics of IT risk and reputation

Global Technology Services Research Report

The economics of IT risk and reputation What business continuity and IT security really mean to your organization

Findings from the IBM Global Study on the Economic Impact of IT Risk

Risk Management

About the study The IBM Global Study on the Economic Impact of IT Risk is the largest independent research study conducted to date to measure the financial and reputational consequences of business disruptions caused by business continuity or IT security failures. The study—a follow-on to the 2013 IBM Reputational Risk and IT Study—was sponsored by IBM and independently conducted by Ponemon Institute® in July 2013. Ponemon Institute surveyed 1,069 business continuity specialists and 1,247 IT security practitioners representing 20 industries and 37 countries. Most of the combined group of 2,316 respondents are in the IT organization and report directly to the CIO or head of

corporate IT. Respondents at the manager level represent the largest segment (33 percent), followed by directors (23 percent) and supervisors (19 percent). More than half of the respondents are in larger-sized organizations with more than 5,000 full-time equivalent employees. Participation was limited to IT professionals whose job focus is either business continuity, IT security or both, with decision-making or performance-related responsibilities. Although most participants are focused on only one of the IT disciplines, their survey responses were remarkably similar—with only a few instances of slight but statistically relevant differences. Therefore, for the purpose of this analysis and report we have combined the data from the two sample groups.

Location (37 countries)

Company sizes More than 75,000 4% 25,001 to 75,000 9%

Latin America 10% 241

Less than 500 8% 500 to 1,000 15%

Asia Pacific 15% 353

North America 49% 1,125

10,001 to 25,000 15%

1,001 to 5,000 23% Europe/Middle East 26% 597

5,001 to 10,000 25%

Industries All others 16%

Job titles Banking 19%

Energy and utilities 5%

Manager 31%

C-level executive 11%

Consumer goods 7%

Public sector 14%

Industrial 9% IT and technology 9%

Contractor 2% Administrative 2% Staff/technician 10%

Healthcare 11% Retail 10%

Supervisor 19% Director 24%

The IBM Global Study on the Economic Impact of IT Risk, independently conducted by Ponemon Institute, gathered information from 2,316 business continuity and IT security professionals from around the world.

Risk Management

Contents 3 Introduction 4 Quantifying the economic impact of disruptions to business and IT operations 6 The reputational risk and IT connection 8 Understanding the threat landscape 11 Building the case for business continuity and IT security investments 13 Barriers to success 15 Conclusion and observations

WHAT WOULD YOU DO?

If reputation and brand are important, make IT risk management a priority. – Business continuity management supervisor, French consumer products company

Introduction When the normal course of operations is disrupted as a result of IT system failures and cyber attacks, the economic and reputational costs can be devastating. Even scant minutes of downtime can be costly. In the context of this paper, IT risk is the risk associated with the use, ownership, operation and influence of IT within an organization. Such risks include human error, system failures, security breaches and disruptions to data center operations such as power failures and natural disasters.

3

Understanding the financial consequences of a disruption can be valuable to determining the resources that should be invested in preventing or minimizing such incidents. It also can be critical in making the business case to the C-suite for elevating the priority of business continuity and IT security activities. In this study, we measure the financial consequences or “total cost” resulting from an organization’s inability to provide an acceptable level of service in the face of faults or challenges to normal operations. We also measure and quantify the reputational consequences—the cost of damage to a company’s image or brand value as a result of poor controls, failed processes, IT downtime, data theft and compliance violations.

The voice of business continuity and IT security In this survey we asked two optional open-ended questions: “What steps should your organization or industry take to reduce risks to your organization posed by IT operations?” and “Looking ahead, what are the changes or trends in the IT landscape that will most increase reputation risk for your organization?” The responses we received were thoughtful and thoughtprovoking—and a number of common themes emerged. Throughout this paper we will share responses that reflect those common concerns under one of two headings: “What would you do?” and “Where is the risk?”

4

The economics of IT risk and reputation

Quantifying the economic impact of disruptions to business and IT operations A very important objective of this research is to determine the cost to organizations when there is a disruption or compromise to business processes or IT services. Respondents were asked to estimate the costs based on three discrete levels: minor, moderate and substantial. Duration. Minor, moderate and substantial disruptions are classified according the amount of downtime. As shown in Figure 1, the average minor incident is 19.7 minutes, while a substantial incident can be 442.3 minutes or almost a full eight-hour day of down or idle time. However, some expect that substantial disruptions could last more than two days. Likelihood. According to Figure 2, 69 percent of respondents anticipate that they will experience at least one or more minor disruptions in the next 24 months, while 23 percent say one or more substantial disruptions could occur over the same time period. In other words, respondents believe their organizations are three times more likely to experience a minor incident than a substantial incident. Cost. Respondents were asked to consider all direct cash outlays, direct labor expenditures, indirect labor costs, overhead costs and lost business opportunities for six cost categories: • Cost of users’ idle time and lost productivity because of downtime or system performance delays

• Cost of forensics to determine the root causes of disruptions or compromise • Cost of technical support to restore systems to an operational state • Cost associated with reputation and brand damage • Revenues lost because of system availability problems • Cost associated with compliance or regulatory failure Figure 3 reports the average cost per minute of minor, moderate and substantial disruptions to business and IT operations. The cost per minute of minor disruptions is much higher than the per minute cost of substantial disruptions (US$53,223 versus US$32,229)—reflecting that the costs for users’ idle time, forensics and technical support are spread over fewer minutes of downtime (see also Figure 5). Figure 4 reports the average total costs that could be incurred as a result of disruptions to business or IT operations. Even a minor disruption can cost a business more than US$1 million, and a substantial incident can escalate to more than US$14 million. However, some respondents say costs of a severe incident could climb to more than US$100 million. The estimate is based on the six cost categories described above. From the perspective of economic impact, the most significant threats are human errors, cyber breaches and data loss. It is important to note that while the average cost of a minor incident is low relative to a substantial incident, the high frequency of minor disruptions can mean significant financial consequences for an organization over time.

Risk Management

Average minutes of down or idle time for minor, moderate and substantial disruptions

5

Likelihood of one or more disruptions to business and IT operations over the next 24 months

442.3

69%

37% 23%

111.8 19.7 Minor

Moderate

Substantial

Figure 1. Average minutes of down or idle time for minor, moderate and substantial disruptions

Estimated average cost per minute of disruption (down or idle time)

Minor

Moderate

Substantial

Figure 2. Likelihood of one or more disruptions to business and IT operations over the next 24 months

Estimated average total cost of disruption to business and IT operations over the next 24 months $14,255,468

$53,210 $38,065

$32,229 $4,257,357 $1,046,454

Minor

Moderate

Substantial

Figure 3. Estimated average cost per minute of disruption (down or idle time)

Minor

Moderate

Substantial

Figure 4. Estimated average total cost of disruption to business and IT operations over the next 24 months

6

The economics of IT risk and reputation

The reputational risk and IT connection

that while leadership is believed to be most concerned about revenue loss because of system availability problems, it ranks near the bottom of allocated cost in the eyes of IT professionals.

If there is any doubt about the importance of an effective business continuity or IT security program, consider the financial impact a disruption can have on reputation and brand value. Figure 5 summarizes the allocation of costs determined by assigning 100 points for minor, moderate and substantial disruptions. As can be seen, the costs associated with reputation and brand damage increase in proportion to the severity of the incident. Accordingly, reputation damages represent only 2 points for minor versus 37 points for substantial disruptions to business and IT operations.

WHAT WOULD YOU DO?

“We should change orientation from reactive to proactive and have a more mature risk management strategy in place.”

The top three costs for all three levels of disruptions (combined) are (1) cost of users’ idle time, (2) cost of forensics and (3) cost of technical support. It is interesting to note

– IT security director, German technology company

Allocation of total costs 36

35

Cost of users' idle time and lost productivity because of downtime or system performance delays 25

Cost of forensics to determine the root causes of disruptions

20

28

Cost of technical support to restore systems to an operational state 2

9

17

11

15

7 37

Cost associated with reputation and brand damage 4

12

22

Revenues lost because of system availability problems 5 4

10

Cost associated with compliance or regulatory failure Minor

Moderate

Substantial

Figure 5. For each of the three levels of disruption (minor, moderate, and substantial), respondents were asked to use a 100-point scale to apportion total cost across these six cost categories.

Risk Management

Drawing from the minor, moderate and substantial cost allocations indicated previously, we estimate the reputation and brand-related damages that result from all three levels of disruption. Figure 6 shows that reputational cost associated with substantial disruption is almost US$5.3 million. In contrast, reputational costs associated with minor disruptions are relatively negligible.

Estimated reputation-related costs resulting from disruption to business or IT operations over the next 24 months $5,274,523

Reputational threats: perception versus reality Not so clear cut is the source of IT threats to reputation. We asked recipients to rank seven common threats in terms of reputational impact on their organizations. As Figure 7 shows, data breach and disaster top the rankings of threats respondents think pose the greatest reputational risk, with IT system failure placing third and human error sixth.

Common threats ranked in terms of reputational impact 5.5 Data breach/data theft 5.2

Natural or manmade disasters 4.3 IT system failure

$20,929 Minor

$468,309 Moderate

4.0

Data loss (backup/ restore failure) Substantial

3.8

Cyber security breach/ advanced persistent threats 2.6

Figure 6. Estimated reputation-related costs resulting from disruption to busi-

ness or IT operations over the next 24 months

WHAT WOULD YOU DO?

“Develop a coherent strategy that aligns information risk with enterprise risk.” – Business continuity director, Canadian financial services company

Human error Third-party partner security breach or system failure

1.2

Figure 7. Common threats ranked in terms of reputational impact

7

8

The economics of IT risk and reputation

When respondents were asked whether their organizations had actually experienced damages to reputation or brand value and from what cause, the threat ranking is quite different. As Figure 8 shows, the most significant threats to reputation based on experience over the last two years are incidents that involve IT system failures and human errors, followed by cyber security breaches. Natural or manmade disasters are far less likely to cause reputation or brand damages.

Threats that impact reputation and brand value experienced over the past 24 months 66% IT system failure

Understanding the threat landscape Our survey also probed the threat landscape more broadly to determine how closely what IT practitioners think will happen matches their actual experience. Overall, respondent perceptions about the likelihood of threats occurring are largely consistent with reported instances of events—with human error taking the top spot in terms of likelihood, number of disruptions experienced and projected financial impact. Figure 9 shows how respondents ranked seven common threats in terms of the likelihood of occurrence in their organizations. While these business continuity and IT security professionals rank human error as the leading potential threat, IT system failure, data breach and third-party partner security breach or system failure are almost equal leading contenders.

57% Human error 46% Cyber security breach

Third-party security breach or IT system failure

5.6

39%

Data loss from failed backup/restore Natural or manmade disasters

Common threats ranked in terms of likelihood of occurrence Human error 5.2

23% IT system failure

5.0

19% Data breach/data theft

5.0

Third-party partner security breach or system failure Figure 8. Threats that caused impact to reputation and brand value over the past 24 months (percentage of “yes” response)

4.0

Cyber security breach/ advanced persistent threats 2.3

Data loss (backup/ restore failure) Natural or manmade disasters

0.0

Figure 9. Common threats ranked in terms of likelihood of occurrence

Risk Management

Overall, IT professionals are very accurate when it comes to understanding the general threat landscape. According to Figure 10, respondents report that in the past two years they have experienced on average more than nine business disruptions due to human error—coinciding with the ranking of the leading perceived threat to business and IT operations and IT security. In fact, actual occurrence of incidents caused by human error far exceeds projections. Data loss due to failed backup/restore is also more common than projected—and is slightly ahead of cyber security breaches.

When evaluating threats in terms of potential economic impact on an organization, Figure 11 shows that respondents are consistent in their ranking of human error as the leading threat. However, participants believe cyber security breaches and data theft pose a much greater risk of economic impact than reputational impact (see also Figure 7).

Common threats ranked in terms of economic impact 4.7 Human error

Average number of actual disruptions over the past 24 months caused by six common threats

3.9

Cyber security breach/ advanced persistent threats

3.8

9.5

Data breach/data theft

Human error 5.5 IT system failure

3.4

5.4

Third-party partner security breach or system failure

IT system failure 4.5

Data loss from failed backup/restore

4.2 Cyber security breach Natural or manmade disasters

3.6

Data loss (backup/ restore failure)

2.7

Third-party partner security breach or system failure Natural or manmade disasters

1.0

1.9

Figure 11. Common threats ranked in terms of economic impact

Figure 10. Average number of actual disruptions over the past 24 months caused by six common threats

9

10

The economics of IT risk and reputation

The role of third-party partners: a closer look Just how much of a threat do vendors and third parties pose to respondents’ companies? According to 41 (21+20) percent of respondents (Figure 12), vendor-related mishaps represent a main source of disruption to business and IT operations experienced over the past 24 months.

Percentage of disruptions to business and IT operations caused by third parties over the past 24 months

One reason may be standards. According to Figure 13, not all vendors and other third parties are required to comply with the same business continuity and IT security requirements that respondents’ companies adhere to. Thirty-one percent of respondents say their companies do not require vendors and other third parties to comply with their business continuity requirements, and 40 percent say their companies do not require partner compliance with their own IT security standards.

Do vendors and other third parties comply with the same requirements deployed within your organization?

1% Zero 21%

58%