All the companies involved vigorously deny giving the Obama administration access to their users’ data, but the current and potential damage to their brand reputation has left these corporations scrambling for responses that satisfy not only shareholders, but stakeholders.
Viktor Mayer-Schonberger, professor of internet governance and regulation at the Oxford Internet Institute, sums up the scope of the collective data breach saying, “These companies depend on their users being sufficiently trusting to give them personal data. Many of us are perfectly fine for these companies to use this information for their own commercial benefit, to place more relevant adverts on the right hand side, but we do not want it passed on to the government or to tax authorities for instance.”
Revelations about the NSA’s accumulation of citizens personal information has raised our collective awareness of data security. We assumed that our personal information was safe and secure, we no longer can. In business, there can be no assumptions regarding data security. Corporate data breaches are, in fact, growing at an alarming rate. The Open Security Foundation working in conjunction with Javelin Strategy & Research reports an all-time high of 1,611 breaches in 2012, representing a 48% increase over 2011. What do those numbers mean in terms of dollars? A recent study by the Ponemon Institute shows that the organizational cost per data breach stands at $5.4 million and the cost per record is $188. Thus, chief executives and business owners must treat the issue as though their companies, and the data they hold, are continuously under attack.
How do organizations across the economic spectrum treat the issue of data security? What are the right moves to keep data safe and secure and what may be done to avoid the costs (both monetary and social) of a security breach?
Writing in the Harvard Business Review, Robert Plant, associate professor of computer information systems at the University of Miami School of Business Administration, says executives must understand four basic points about security:
- A well-executed data breach is potentially more dangerous to your business than a recession.
- Cybercrime isn’t someone else’s problem; it’s your problem.
- Just because you haven’t heard your C-suite peers at other firms talk of security breaches doesn’t mean they’re not happening, nor does the fact that you haven’t found anything in your systems mean you’re safe.
- You probably don’t understand where your data is.
The takeaway is that any business can be a target. Breaches can, do and will occur in organizations of all sizes and across a large number of industries. Old excuses like “we’re too small to be a target,” or “we just implemented new antivirus software and firewalls,” are no longer acceptable.
In addition to the financial repercussions of a data breach is the social impact. Data breaches not only tarnish a company’s hard earned reputation, they violate people’s trust. Chief executives must accept that reputation has quantitative value. It is just as material to the company’s bottom line as inventory, receivables, real estate or any other balance sheet asset.
What should a chief executive do about the inevitable data breach? In a word, prepare. A logical first step is putting a team in place to plan a response that meets not only the legal standard, but obligations to clients and business partners. The team may include data security personnel, legal counsel, as well as a communications expert. Once a blueprint is formulated, the team should meet at least twice a year to conduct drills, just as other teams prepare for physical risks like weather emergencies or fire drills.
Experts cite says three different tasks that businesses must consider when evaluating readiness to meet a data breach:
Inspect all the ways that data moves in and out of your company, from laptops and thumb drives to cloud storage and customer portals. The vulnerability assessment also needs to look beyond your company to your contractors, and subcontractors. If you share data and systems with any of them, your operations are at risk.
Encrypting files and restricting access to data are good starting points, as is a “remote kill” option that will let a security team wipe out data on a laptop that has gone missing. Your response should also consider the need to quarantine areas of your data network or shut down entire systems.
Communicating the Aftermath:
Any plan must take communications into account. When planning a response, experts advise factoring in how many records were affected and what level of data was exposed. You need to understand the legal ramifications and how you might fare in the court of public opinion if
you handle the breach incorrectly. Remember that you can’t eat your words once they’re in the public domain.
Data breaches and cyber security recently topped the agenda of the summit between President Obama and Chinese President Xi Jinping. Although U.S. officials have accused the Chinese government of being behind a series of attacks designed to steal trade secrets and potentially disable computers that operate banks, power grids and telecommunications systems; Xi flatly rejected the charges saying that his nation was also a victim of such acts and called for cooperation on the issue.
Chief executives, and the companies they manage, must treat security and the threats of data breaches seriously and take the necessary steps to harden their defenses. No panacea exists that will prevent data breaches and deterring such incidents is a never ending task. Cyber security cannot be delegated to the IT department or the CISO, it is a company wide effort that begins and ends in the corner office.