More Related Content
Similar to Reputational Risk
Similar to Reputational Risk (20)
More from IBMGovernmentCA
More from IBMGovernmentCA (20)
Reputational Risk
- 1. IBM Global Technology Services
Five IT risk management practices of
companies with excellent reputations
How security and business continuity can shape the reputation and
value of your company
© 2012 IBM Corporation
- 2. Today’s speaker
Philip Kibler
IBM, GTS Director Cyber Security Assessment and Response
Phil has 31 years of IT experience and has led IBM Professional Security Services
business since 2007. Recently he has been focusing on Cyber Threats and
Intelligence and marshaling the resources of the IBM Corporation to support clients
globally to deal with the growing Cyber Storm.
Definition of IT risk and reputational risk
Findings from 2012 Reputational Risk Study
Financial implications of security breaches
Recovery from reputational damage
Five characteristics of companies with excellent reputations
Ten essential practices…how they can help
2 © 2012 IBM Corporation
- 3. Reputational risk and IT:
What is reputational risk and why you should care?
Reputational risk:
a type of risk related to the trustworthiness of
business. Damage to a firm's reputation can result
in lost revenue or destruction of shareholder value,
even if the company is not found guilty of a crime.
Reputational risk can be a matter of corporate trust,
but serves also as a tool in crisis prevention.
Source: http://en.wikipedia.org/wiki/Reputational_risk
Equation taken from - International Centre for Financial Regulation
3 © 2012 IBM Corporation
- 4. Reputational risk and IT:
How do we define IT risk?
IT risk is comprised of a number of core
components:
Security and privacy
Business continuity and disaster recovery
IT compliance
Supply chain
Business transformation
Product assurance
4 © 2012 IBM Corporation
- 5. Reputational risk and IT: introduction
To find out where and how IT makes its biggest impact on
reputational risk, IBM conducted a worldwide study.
#1 IT risks have a major impact on a company’s
reputation
#2 Companies have rising IT risk concerns related to
emerging technology trends e.g cloud, social
media
#3 Companies are integrating IT risk and
reputational risk management, with strongest
focus on threats to data and systems
Study demographics
Conducted by Economist Intelligence
Unit, paid for by IBM
427 respondents from around the world
23 industries
15 job titles
Company sizes <$500M to >$10B
5 © 2012 IBM Corporation
- 6. IBM factors reputational risk into the domain of IT security risk.
Risk exists when …
Threat Vulnerability Impact
Can exploit And cause
(Actor) (Weakness) (Loss)
Security Risk Management is the application of control to detect
and block the threat, to detect and fix a vulnerability, or to respond
to incidents (impacts) when all else fails. Reputational risk
becomes a factor in the evaluation of the potential impact
© 2012 IBM Corporation
- 7. Reputational risk and IT: what you can do now
The study identified the 5 key characteristics of companies reporting
excellent reputations.
1 Defining Characteristic: Have a special emphasis on reputational risk with the support of
senior management and have effective escalation and reporting process
83%81% 84% 83%
78%
71%
64% 63%
59% 58%
42%
38%
2 36%
33%
3 28%
4
5
Integrate IT into Have strong/ Have adequate Very Are very confident/
reputational risk very strong IT risk strenuously confident in IT risk
management IT risk management require supply management related
management funding chain to match to data breach/data
capacity standards
theft
7 Organizations reporting their reputation as: Excellent Very good Average or worse © 2012 IBM Corporation
- 8. Reputational risk and IT Study: security findings
In the recent IBM reputational risk and IT study, security factors are
ranked #1 among IT risks that can cause reputational harm.
of respondents included data breaches, data
theft and cybercrime among the IT risks that
are most harmful to reputation
of respondents identify of respondents very
and manage reputational strenuously require third-
risk as part of their IT party sources to match
security operations their level of IT security
8 © 2012 IBM Corporation
- 9. Reputational risk and IT: perception vs. reality
There seems to be a mismatch between how well companies rate
their reputation and how well they are protecting it.
80% rate reputation
as excellent or
very good
17% rate their company’s overall ability to
manage IT risk as very strong
There is room for improvement
in almost every organization
© 2012 IBM Corporation
- 10. Reputational risk and IT Study: security findings
We also found critical discrepancies between confidence level and
availability of security threat intelligence to support that confidence.
Perception
are very confident or confident
they can manage IT risks
related to data breaches,
Have access to the latest data theft and cybercrime
security threat intelligence
Are proactive in the
management of latest security
threats
Reality
“IT… is like the heart pumping blood to the whole body,
so any failure could threaten the whole organization’s
survival.”
— IT manager, French IT and technology company
10 © 2012 IBM Corporation
- 11. Reputational risk and IT: perception vs. reality
Companies may be opening themselves up to unintended
reputational risk by ignoring the impact of their partners.
Only
39 % of companies are “very strenuously” requiring
their vendors, partners and supply chain to match
levels of risk control
How many outside sources does your
company do business with on a regular basis?
How thoroughly have you communicated your
IT risk mitigation standards to these sources?
How are you monitoring your sources’
compliance with your standards?
11 © 2012 IBM Corporation
- 12. IT security industry analysts are quantifying and tracking the actual
costs of a data breach.
Source: Ponemon Institute LLC, “The Impact of Cybercrime on Business,” May 2012
12 © 2012 IBM Corporation
- 13. Reputational risk and IT Study: security findings
Well publicized scenarios of financial and reputational impact due to
security breaches are in the news every day.
Payment Online gaming Retailer
processor community
Hackers intrude core Community and Customer data stolen
line of business. entertainment sites over more than 18
hacked. months.
Nearly 130 million Around 100 million At least 45 million
customers affected. customer records records stolen.
compromised.
Estimated costs: Estimated costs: Estimated costs:
up to $500M $3.6B up to $900M
Illustrative purposes only. The actual facts and damages associated with these scenarios may vary
from the examples provided. Estimated, based on publicly available financial information, published
articles. © 2012 IBM Corporation
- 14. Reputational risk and IT: perception vs. reality
The impact on “reputation recovery” is measured in months, not
hours or days.
0-6 months 6-12 months 12+ months
Website outage 78% 14% 8%
System failure 72% 17% 10%
Workplace compromise 71% 18% 11%
Data loss 70% 17% 12%
Failure to align continuity plans
with business 65% 21% 13%
Insufficient DR measures 63% 24% 12%
Data breach 65% 19% 16%
Compliance failure 64% 22% 14%
© 2012 IBM Corporation
- 15. IBM uses a ten essential practice approach to better manage IT Risk
and protect client reputations.
1 Risk-aware culture
and management
Control network
access 6
2 Manage incidents
with intelligence
Maturity-based
approach
S
Address cloud
and complexity 7
int ecu
ell rit
ige y
nc
e
Automated
O
3 Defend mobile Manage third-
8
pt
im
and social space party compliance
iz
ed
Pr
of
ic
ie
Manual
nt
B
as
4 Security-rich Secure data,
9
ic
services, by design Reactive Proactive
protect privacy
5 Automatic security
“hygiene”
Manage the
identity lifecycle 10
© 2012 IBM Corporation
- 16. Reputational risk and IT: what you can do now
What can you do now?
Be aware.
Do a Risk Security Assessment for
visibility and prioritization for proper risk
management strategy
Be proactive.
Manage against vulnerabilities for real-
time protection against sophisticated
attacks
Be prepared.
Have an incident response plan in place to
quickly respond and remediate against a
breach
16 © 2012 IBM Corporation
- 17. Reputational risk and IT: what you can do now
Learn more about the reputational risk and IT connection, and how
IBM can help you protect the reputation and value of your company.
Download the full study report includes all you’ve seen
today, plus other important findings
www.ibm.com/services/riskstudy
Add your voice to the discussion
Take the reputational risk survey online and get a
complimentary copy of the upcoming expanded
report
Scan the code or go to bit.ly/ibmrisksurvey
Learn more about IBM’s Ten
Security Essential Practices
ibm.com/smarter/cai/security
17 © 2012 IBM Corporation
- 18. Thank
you for attending!
18 © 2012 IBM Corporation
- 19. © Copyright IBM Corporation 2012
IBM Corporation
IBM Global Services
Route 100
Somers, NY 10589 U.S.A.
Produced in the United States of America
August 2012
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other
countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a
trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time
this information was published. Such trademarks may also be registered or common law trademarks in other countries.
Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks
is available on the web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml.
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are
available in every country in which IBM operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED,
INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and
conditions of the agreements under which they are provided.
19 © 2012 IBM Corporation