Michael A. Brown, President & CEO for Symantec discusses how to protect your most valuable asset.
By Michael Brown
As business leaders, we’re faced with a challenge around protecting our most valuable asset: information. How do we instill trust and confidence across our teams while making it easy to conduct business internally and with customers, and at the same time ensure our critical information is safe and secure everywhere it goes? Cybersecurity, privacy, and sound data management practices are part of our ethical responsibility as businesses.
We’ve all seen the headlines: familiar names of banks, insurance companies, healthcare providers, and retailers. Massive data breaches are big news and highlight the increasing responsibility that all organizations have to protect their employee, customer, and partner information. Once perceived as a problem for key target industries such as financial and health services, we now know that no company is immune, regardless of industry or size.
According to Symantec’s Internet Security Threat Report, five out of every six large enterprises (those with 2,500-plus employees) were hit by targeted attacks in 2014, with the intent to steal intellectual property, financial data, trade secrets or other confidential data. This represents a 40 percent increase over the previous year. Meanwhile, a full 60 percent of all targeted attacks were directed at small- and medium-sized businesses.
Digital extortion is also on the rise, where 45 times more people had their digital devices and data held hostage in 2014. Every type of business of every size and with every kind of customer is potentially at risk, and the consequences—financial, operational and reputational—are hugely disruptive and costly.
Protecting the information you collect, store, and use to run your business is not just a matter of managing your intellectual property or maintaining your competitive advantage. It is critical to the reputation of your business; it’s part of the contract you make with both your employees and your customers, both formally through written contract and informally through social contract. Cybersecurity, privacy, and sound data management practices are key parts of our ethical responsibility as businesses.
We are generating, storing, and managing more data than ever before. The tremendous growth rate of data presents great opportunities. Companies know more about us and our preferences than ever before, allowing for more targeted, personalized experiences; and the availability of analytics around big data helps companies and individuals make better decisions in shorter timescales.
But there are also added complexities. With the increase in Bring Your Own Device policies, the multitude of connected devices, and the explosion of social media, the lines between personal and professional identities are blurring. The International Data Corporation estimates that in “connected countries,” there are between 24-30 digital identities per person. They also estimate that 90 percent of this data is unstructured—free-form text that does not reside in a fixed location, such as Word documents, pdf files, emails, and websites. Moreover, much of this information is increasingly being held in the cloud and transferred via mobile devices—and according to Gartner, there will be more than seven billion mobile devices worldwide by 2020.
All of this is to say that the advantages we gain from all this valuable data also present great obligations to protect the information that employees, consumers, and companies care about most, while respecting the privacy that is expected and often required by law. Security, once thought of as just another compliance function, is now a competitive advantage that boards, executives, shareholders, and customers expect from responsible companies.
In this increasingly connected world, being attacked is inevitable. From a defense point of view, the difference between success and catastrophe comes down to not just preventing attacks, but responding quickly and appropriately when one does occur. Business leaders need to operate with the understanding that it is their responsibility to expect and prepare themselves for a breach.
If you can’t control whether or not a breach happens, you must attempt to control the severity and impact to your employees or customers. It is no longer a question of checking a box when your reputation and the perception of your company as an ethical, socially responsible citizen are at stake. Given this seemingly bleak news, what options do you have to protect your data, your customers, and your reputation? As with most things, it comes down to people, process, and technology.
- Have a plan
Understand what data is important to your company and its clients and vendors. Carefully document your data protection policies and procedures, including data management and records retention policies. From this, understand the threats you face and where you are at risk, then formulate a plan to educate, prevent, and respond. Ensure that discussions about cybersecurity are happening at all levels of the company—up to and including the Board of Directors.
- Deploy layered security strategies
A comprehensive security strategy requires much more than any one individual product or technology tool. Endpoint security, advanced threat protection solutions, incident response, data loss prevention, encryption, and privacy controls all have a role to play in ensuring as few gaps as possible in your defenses.
- Address the behavioral component
The people working in, and connecting to, your network bring risk into the company as well. Along with technology solutions, have a plan to address the kinds of behaviors you expect your employees and vendors to exhibit when connecting to your systems. Your protection strategy depends on their behavior; make sure they know what to do and hold them accountable to the standards you set. Do this through education, engagement, and establishing cultural norms, including in your standards of conduct.
In the 2014 State of Corporate Citizenship report by the Boston College Center for Corporate Citizenship, consumer data protection and privacy emerged as the leading corporate citizenship priority for companies—and is projected to increase in the next three years. According to the report, in many companies, corporate citizenship departments are designing programs to educate employees and customers about how they can help protect privacy and create a safe information and e-commerce superhighway. This issue has moved away from being solely a data protection consideration. It is now a critical component of your brand reputation, standards of conduct, and corporate responsibility strategy.
Companies that are thinking ethically and acting with integrity need to secure and protect their data, including intellectual property and customers’, employees’, and partners’ information. In our connected world, data protection is vital to a prosperous future, but we are only as secure as the weakest link in the chain. Data breaches compromise our privacy, security, and economic well-being. The financial and reputational risks have both immediate and long-term impacts. That’s why educating our customers and employees, having a response plan in place, and protecting our data and devices with current technologies are essential for ethical corporate citizenship. Do your part to ensure the integrity and security of the data you hold, process and manage. It’s the right thing to do.
For more information, read Symantec’s 2015 Internet Security Threat Report at http://www.symantec.com/security_response/publications/threatreport.jsp. Symantec is proud to have been listed as one of the World’s Most Ethical Companies by Ethisphere Magazine for eight consecutive years.
Michael A. Brown was named President and Chief Executive Officer of Symantec in September 2014. He joined Symantec’s Board of Directors following the company’s merger with VERITAS Software in July 2005, and previously served as Chairman and Chief Executive Officer of Quantum Corporation. Brown received his MBA from Stanford University’s Graduate School of Business and his BA in Economics from Harvard University.
This article was featured in the Q3 2015 issue of Ethisphere Magazine. To subscribe and learn more about Ethisphere Magazine click here.