Here are some impactful statistics to digest:

• Juniper Research, a United Kingdom-based digital market specialist, reported data breaches are expected to cost $500 billion globally in 2015 and grow to $2.1 trillion globally by 2019.

• Identity Theft Resource Center said the number of data breaches in 2015 are on pace to break records with 117.5 million records confirmed to be at risk, combined with an 85% increase in banking sector breaches this year.

Boards and senior management must have a holistic view, and work to protect all forms of data and intellectual property. This is essential in any modern enterprise risk management program. In their oversight role, directors must ensure management establishes an enterprise-wide, cyber risk management framework with adequate staffing and budget. Because total data protection is an impracticable goal, management must identify and prioritize those risks to avoid, accept, mitigate or lay off through insurance.

Pamela Gupta, CEO of Out Secure Inc., which provides security strategies to multi-national corporations, advises, "Security strategy begins with identifying the highest value information targets – those assets that, if compromised, would cause the greatest harm to the organization. Next, management needs to prioritize information assets by business risk and allocate resources accordingly. Levels and costs of preparedness correspond with the risk the organization can appropriately take. Today, every decision concerning technology needs to be informed by an awareness of related vulnerabilities. All software and hardware, social networking applications and other Internet-related tools must all be viewed through a lens of security."

As with most organizational initiatives, cybersecurity must be driven from the top and diffuse throughout the organization. An ERM plan for data protection alone is not enough.

After the C-suite produces the data protection strategy, management must clearly and consistently communicate it across the organizational structure to all levels. A strong communications program should be designed to heighten the urgency to address overall cyber risk to complement strong technological security. The organization's commitment to security must translate into specific policies and procedures that employees learn and follow. The greatest vulnerabilities often come from everyday use of email and the Internet, such as inadvertently unsafe activity on social networking sites. Employee inattentiveness, not malicious behavior, usually causes the problem. Thus, training should target behavior that undermines security. Data security should become part of the company's culture to protect the organization's brand and reputation.

Budgets and timetables must reflect the integration of security requirements into any project plan. Gupta advises the security team become engaged at the outset of a project, not as an afterthought. This approach delivers a much greater ROI for security monies utilized. She explained, "Retrofitting security is expensive and monies used in reaction to a security breach can be expected to be 10 times as great as the cost of prevention."

Regardless of your organization's industry or size, protecting information assets in the smartest way is critical. Your board's oversight, management's leadership and employees' engagement will make the difference.

Stuart Levine is chairman and CEO of Stuart Levine & Associates and EduLeader LLC. He can be reached at 516-465-0800 or [email protected].