As Tom begins to piece together his company’s cyber risk management plan with Nathan, his chief risk officer (CRO), and Nasir, his crisis action officer, Tom recalls a recent news story of a major company crippled by a cyber attack. “That sounds bad,” Tom says, “but it would never happen to us. We perform regular security updates and are fully compliant with security requirements.” Nathan cautions, “Tom, compliance is only a small piece of an incredibly lethal and complex cybersecurity puzzle. What was good enough years ago leaves companies open for a crippling attack today.” Nasir chimes in, “Information is power. The more effectively our organization protects our own information assets and detect and respond to threats in a broad, holistic manner, the more likely we will be to keep sensitive information out of hackers’ hands.”

The Invisible Attacker

Holiday season is usually a time of plenty for North American retailers. But in December 2013, a giant retail company got a surprise worse than a stocking full of coal: the credit card information of 40 million customers had been stolen via point-of-sale (POS) systems in the company’s stores. An additional 70 million customer records containing names, addresses, phone numbers and e-mail addresses were also exposed.

This was no ordinary breach. Hackers began their assault by infiltrating the ...