Data breaches are on the rise, increasingly hitting small and mid-sized companies and bringing significant costs with them. Yet many companies still consider cyber security a problem for the information technology department, rather than a concern for top executives.
That was the warning from a panel of security experts who spoke Thursday about what CEOs and other executives need to know about cyber security. The panel was part of the CyberMaryland Conference, an annual industry conference taking place Thursday and Friday at the Baltimore Hilton Hotel.
"This is what should have CEOs awake in the middle of the night," said Christopher Helmrath, managing director of SC&H Group, a Sparks-based business consulting firm.
The Identity Theft Resource Center tracked 781 breaches in the U.S. in 2015, up 8 percent from the previous year.
Each costs an average $4 million, according to a report by IBM, with expenses on the rise as increasingly malicious attacks cause more damage to companies' client bases, reputations and daily business operations.
Security has long been on the radar of top executives at large corporations, which are bigger targets for attacks. But increasingly, security problems are "moving downstream," to smaller companies, said Joanne Martin, who leads the chief information security officer advisory practice at Hartman Executive Advisors, a technology advisory firm in Timonium.
Security-conscious corporations want their suppliers and other companies they do business with to have the same standards for security, she said.
But while companies may be aware that cyber security is a threat to their business, many don't approach the problem the right way, and relegate the responsibility to IT departments, instead of tackling it as a business challenge that deserves the attention of the company's top executives, said Gary Merry, founder and CEO of Deep Run Security in Baltimore.
Deep Run Security helps companies evaluate and manage their cyber security risks. Merry said he often encounters CEOs who know they need to do something, but aren't sure what to do.
The challenge for security experts is to visualize threats, so executives can understand how serious they are and where they come from, said Malcolm Harkins, a former chief security and privacy officer at Intel who now leads information security at Los Angeles-area threat protection startup Cylance Inc.
Strong communication between a company's top executives, board and IT staff are key to developing a robust cyber security strategy, he said.
Finding the right approach — and right protection vendors — can be challenging because there are so many companies developing cyber solutions, "all promising to be the one that saves the day," Martin said.
Executives and their security experts need to work together to determine what the company's risks are and seek out protection that is tailored to their needs, she said.