Preparing for cyberattacks is good business

Paul Kennedy, CISA, CISSP
Mark Spaak, CISSP


The 2021 data safety report by technology firm IBM and the Ponemon Institute, an organization seeking to advance responsible data use and privacy management, is eye opening in both favorable and unfavorable ways.

On the positive side, fully deployed artificial intelligence (AI) solutions were shown to decrease data breach recovery costs by 56%. That piggybacks off the 2020 report, which showed clear value in implementing fundamental IT defenses like an incident response team, business continuity plans, encryption, and employee training, to name a few. Taken together, it’s clear a well-rounded, comprehensive IT defense program delivers organizational value.

The less favorable findings center on time and money lost. For instance, the average cost of a breach is $4.24 million, up 10% from 2020. Also, the average time to identify and contain a breach is 287 days. Once a breach is discovered, it generally takes 9-14 days to recover, which is significant downtime and potentially a lot of lost revenue, especially without cyber liability insurance protection.

Organizations should pay attention to these figures because 51% of respondents experienced a significant business disruption in the past two years because of a cybersecurity incident. So, statistically speaking, every four years an organization can expect to get hit with a cyber incident.

Thus, it’s best to be ready. The IBM/Ponemon report is another example of how proper IT defenses can shield an organization from bad actors, big recovery costs, lost productivity, and reputational harm.

Is your organization at risk?

The cost per record of breached data is up to $161, which is a 10.3% increase over last year. To estimate your organization’s potential exposure, here’s an equation:

Records stored x $161=Organizational exposure

For most organizations, this math is unnerving. It takes just 6,212 records to top $1 million of exposure. And if any records contain personally identifiable information, the cost per record is $180.

Many organizations, especially small- and medium-sized businesses, don’t realize their vulnerability. And even if they do, it’s possible they lack the proper systems and expertise to protect the organization.

This often leaves organizations unprepared to handle cyberattacks. It’s why 71% of small- and medium-sized businesses hit by an attack or outage close their doors six months later. The costs are too high, either in lost revenue, suffered reputational damage, or because they couldn’t remedy the issues brought on by the attack.

Foundational improvements

With cyberattacks more frequent, more costly, and harder to recover from , it takes comprehensive, proactive defenses to protect organizations. Obviously, a fully deployed autonomous AI environment is great. Similarly, organizations adopting “zerotrust approaches” on every network connection and device tend to fare better against cyberattacks because they can limit damage quicker.

But even the “basics” of IT defense can provide substantial protection.

For instance, in the 2020 IBM/Ponemon report, incident response plan testing, business continuity plan testing, and forming an incident response team showed larger quantifiable reductions in breach costs than an AI platform. Having these fundamentals in place and monitoring them regularly will help significantly when you experience a breach.

Everyone loves the latest technology. But constant monitoring, testing, and updating of your organization’s defenses are proven, though less “flashy,” methods of strengthening organizational security. For many small- and medium-sized organizations, implementing these foundations can be a big improvement.


Increasingly sophisticated attacks and rising recovery costs are putting pressure on organizations. But it’s also becoming clear how the costs of investing in cybersecurity can be substantially smaller than the costs associated with data breaches.

Still, organizations don’t know what they don’t know when it comes to security. This is where Rehmann’s CyberReady solution can help. It’s a flexible, all-encompassing cybersecurity program for small- and medium-sized businesses delivered in four phases:

Governance, discovery, education

The program begins with education on the makeup and design of a sound IT defense system, including governance structure and organizational policies. We’ll help you identify your organization’s “crown jewels” in terms of data and operations, along with their inherent risks and the potential impact to the organization.

Establish baselines

Next, we meet with individual business areas to further identify data and operational assets, their potential risks, and the likelihood of attacks on them. This establishes baselines around the value and safety of your technology infrastructure and helps determine IT defense priorities.

Fortify defenses

This step focuses on protection and identifying vulnerabilities. Using the latest cybersecurity standards, we evaluate your organization’s technology environment and develop an action plan to bridge any gaps. The end goal is to have your organization able to identify attackers, get them out, and recover as quickly as possible.

Buildout and policy development

The final step formalizes and implements the organization’s chosen governance strategy. It often involves putting in place more controls, written policies, and procedural documentation to keep the organization safe.

After following this process, organizations are better suited to defend themselves against breaches. CyberReady is a full-scale program tailored to each organization and focused on keeping critical networks and data safe.

Wise investment

Think back to the organizational exposure equation – it’s clear the cost of a breach, even at small organizations, could easily reach millions of dollars. These sorts of recovery costs, on top of lost revenue and insurmountable reputation hits, sink too many organizations.

With each new edition, the IBM/Ponemon reports further illustrate the benefits of having robust cyber defenses in place. These kinds of investments seem to be proven wiser on an annual basis. At the very least, they’re more palatable than suffering a breach.

Talk with a Rehmann cybersecurity professional to learn more about how we can work together to protect your organization, today.

Published in Cybersecurity

Meet The Rehmann Team

Start typing a name ...
Searching for "{{nameQuery}}"...
Start typing an experience ...
Searching for "{{experienceQuery}}"...
Start typing a location ...
Searching for "{{locationQuery}}"...
Or view a list of team members

get rehmann expertise to drive your business in your inbox every week