How Companies Can Head off the Cyber Threat
Written by Pamela Passman
Recently, one of the largest US health insurance companies disclosed that its database had been hacked, exposing as many as 80 million records for customers and former employees. Anthem Inc. said that the information included birthdays, Social Security Numbers, email and street addresses, income data, and other employment information. In short, enough for widespread identity theft and long-term havoc.
While the Indiana-based company commenced damage control, its share price took an immediate hit on the stock market. But the long-term implications of the breach are more troubling. The incident will have an impact on the company’s reputation, customer confidence, and potential liability that is hard to estimate.
It was yet another dramatic illustration of the growing problem of digital vulnerability. Data breaches—many not detected until long after the fact—are becoming almost commonplace. This new reality calls for companies to take stock of their intellectual property and other valuable or sensitive data. As it stands, many remain woefully unprepared.
It’s difficult to get an accurate estimate of losses from data security breaches, since many go undetected, and when they are uncovered, companies are often reluctant to make these cases public. What is evident is that intrusion and data theft are on the rise. Organizations reporting losses of $20 million or more from data security breaches rose 92 percent last year compared to 2013, according to the PriceWaterhouseCoopers (PwC) Global State of Information Security Survey (2015).
In addition to the immediate cost of cyber intrusions and data misappropriation are the growing costs of liability. A federal judge in Minnesota recently gave the go-ahead for a class action lawsuit against retail giant Target for the data breach that occurred in late 2013. According to the ruling, computer hackers stole credit and debit card information and other personal information for approximately 110 million customers of Target’s retail stores during a three-week period.
“Indeed, many of the 114 named Plaintiffs allege that they actually incurred unauthorized charges, lost access to their accounts, and/or were forced to pay sums such as late fees, card replacement fees, and credit monitoring costs because the hackers misused their personal financial information,” wrote Judge Paul Magnuson.
The challenge remains: how to address the risk? In a digitized and globalized economy, security is no longer achieved by posting a guard at the gate or putting in place a firewall. In order to benefit from the efficiencies of this economic landscape, companies have information flowing internally as well as among supply chain partners, distributors, and vendors. Just as critical corporate information can be transferred with little effort through email, file sharing, or a thumb drive, it can easily be stolen and compromised.
And yet, access to sensitive information is relatively unrestricted in many companies. In a recent survey by the Ponemon Institute, 71 percent of employees said they have access to data they should not see and 54 percent said this access is frequent or very frequent.
Compounding the risk posed by insiders, employees are more mobile than ever before, with opportunities to cross companies and borders. Indeed, even though North Korean hackers make more interesting headlines, it is insiders—employees, vendors, and business partners—who pose the greatest risk of both accidental and malicious exposure of sensitive data.
Many companies find themselves grappling with former employees attempting to steal valuable corporate information. For example:
- In Japan, police arrested a systems engineer for allegedly stealing data linked to more than 20 million customers of educational material provider Benesse. The suspect was working for a firm affiliated with the educational company.
- Nike is in a legal battle with former employees who left the company and set up their own design firm with funding from rival sporting goods company Adidas. Nike alleges that the designers misappropriated reams of design and marketing secrets.
At the same time, with the expansion of global supply chains, companies have developed new vulnerabilities. Consider, for example, when Target’s customer payment information was hacked; the access point was reportedly through the computer account of a vendor who provided heating, air conditioning, and refrigeration services to the big box store.
As such, companies need an approach to security that takes into consideration the entire business ecosystem. It is critical for organizations to build safeguards into the fabric of the business—and to foster this culture among supply chain partners.
Fortunately, many enterprises already have in place a holistic approach to address many other risks that can be adapted to deal with these risks as well: Enterprise Risk Management (ERM). ERM is a process by which companies systematically identify, assess, and manage risks to the business, as follows:
- Identify the risks: To protect valuable digital assets, you first have to know what they are. This involves creating a comprehensive inventory of valuable corporate information, including trade secrets, customer data, and intellectual property, taking into account where they are located and who has access to them.
- Assess the risks: In the second step of the process, risks—in this case, the loss or misappropriation of sensitive company information—are ranked in order of priority, considering both the probability of the loss and the potential damage caused.
- Manage the risks: With the assessment in hand, the company has a basis for strategic allocation of its resources to safeguard its sensitive information.
It is not surprising that companies have rushed to invest in cyber security over the past several years. It is important to note that IT is an essential part of the overall protection of company information, but it is by no means sufficient. Even a sophisticated system, including those complying with new international standards (ISO 27001, NIST, COBIT), will only protect that which it is designed to protect.
In addition to a well-conceived IT security system, effectively safeguarding data and intellectual property requires an alignment of people, processes, and technology, including: a cross-functional team with senior leadership support; procedures and policies that spell out how information is handled and by whom; training that conveys expectations; monitoring to ensure procedures are being followed; due diligence and follow up with supply chain partners regarding confidentiality; and contingency plans if information is compromised.
In essence, staving off damaging cyber security intrusions and information theft demands that companies not just build a wall around themselves, but build security into the fabric of the business, including personnel policies, operations, and IT systems. Critically, the system also needs to account for partners who have access. This multi-faceted approach is robust and flexible and focused on what is most valuable and sensitive—as it must be to address the ever-changing threat to key company digital assets, the new crown jewels of global business.
