A financial services company suspected it was suffering “death by a thousand cuts” from data leaks due to employees accidentally emailing out customer-sensitive information. Every time a misaddressed email security breach was discovered, the company had to pay for credit monitoring for affected clients – and suffered some reputation damage. But the risk management team couldn't get its arms around the extent of the problem or a cost-effective way to fix it.
Using RiskLens, the team gathered and made sense of the available GRC data on reported accidental releases of PII and put hard numbers on the losses. The FAIR methodology in particular "really helped us get down to the core secondary losses, relating to brand impact and reputation loss," the team leader says.
The probable losses were significant enough to have the team look for a solution. With solid estimates on costs, the team was able to identify the best vendor solution (software that interrupts email workflow, forcing employees to verify message recipients), then make a clear investment case to management based on a cost/benefit analysis.
“When you’re speaking in the language of the business, dollars and cents, they know what you mean," says the team leader. "it doesn’t require context, especially when you can describe how those numbers were broken down.
“They can clearly see the projected risk reduction and that adds a great deal of credibility for future analyses...They may not like the cost, but they’ll know if they make the investment, they will get a return on it.”
Learn how RiskLens helped this risk management team discover the value in its own data – and the value of cyber risk quantification as a business-decision support tool. Read the case study now.