The new information economy makes cybersecurity a must for credit unions

Protecting Intellectual Property, organizational data and other intangible assets in the smartest way is becoming more crucial. The continuing transformation to a knowledge-based economy means that IP and other intangibles assets are an essential source of growth and can comprise the great majority of a company’s value. McKinsey Global Institute projects information related growth in global GDP at $9 to $21 trillion over the next five to seven years, representing about a 10 to 20% increase over current levels. Moreover, intangible assets comprise 84% of the value of the S&P 500 according to recent studies. A robust cybersecurity environment is a prerequisite for economic growth, particularly when the drivers are information related. Regardless of your organization’s industry or size, information assets must be protected from intrusion, theft and loss of confidentiality.

Data breaches are all too common, however. In the U.S. for the first half of 2015, Identity Theft Resource Center recorded 400 incidents in its Breach Report with 118 million records confirmed to be at risk. Organizations of all sizes and even the U.S. Government were affected. The breach at health insurer Anthem compromised 80 million records and cost $100 million. The attack at the U.S. Office of Personnel Management affected about 25 million employees and is being remediated through a $133 million contract to notify the victims — some were NCUA employees.

What should your organization do to tackle this constant threat? Your board’s oversight, management’s leadership and your employees’ engagement will make the difference in addressing the issue.

In any current enterprise risk management program, boards and senior management must take a holistic view, working to protect all forms of data and intellectual property. Data breaches can be devastating to customer confidence, extremely costly to remedy and create havoc with your organization’s reputation. Directors in their oversight role must make certain that management establishes an enterprise-wide cyber-risk management structure with adequate staffing and budget. Total data protection, however, is an impossible objective. Management, therefore, must identify those risks to avoid, accept, mitigate or lay-off through insurance. Security strategy begins with identifying those assets that, if compromised, would cause the greatest harm to the organization. Management next prioritizes information assets by associated business risk and allocates resources accordingly. Levels of preparedness and corresponding costs align with the risk the organization can appropriately take. Every decision involving technology needs to be made with an awareness of the security implications.

An ERM plan for cybersecurity, however, is not enough. Data protection must be driven from the top and must involve the whole organization. Cybersecurity is not just an IT problem; it must become a priority for everyone. Management must clearly and consistently communicate the data protection strategy throughout all levels of the organization. A strong communications program complements strong technological security. This commitment to security translates into specific policies and procedures that employees must learn and follow. By design, this approach heightens the urgency to address cyber-risk, creating a mindset of data protection that infuses the organizational culture. Data security becomes part of the company’s brand, as data protection protects the reputation of the organization.