One executive who argues he and fellow CEOs of smaller companies are doing a solid job of protecting themselves is Ross Buchmueller of the PURE Group of Insurance Companies, based in White Plains, New York, a privately held firm with about $500 million a year in premiums (sales.) “The reality is that everybody is trying to harden their systems,” he says.
While he operates in a sector where regulators ask him about Internet security, he says it’s really his affluent customers he has to protect—or risk losing their business. ”We’re asking tens of thousands of wealthy families to allow us to manage their risks, which means protecting all the information they share with us,” Buchmueller explains. “We spend a lot of time worrying about how to do that.”
Buchmueller hired an expert to be in charge of his technology infrastructure, and the company’s core on-premises data center is managed with help from Oracle and IBM, using the latest encryption know-how. The company does use a cloud application from Salesforce.com that helps it manage relationships with customers, but he’s confident it is well-protected.
Reflecting the sensitivities of being a CEO who speaks publicly about his IT system, thereby possibly attracting unwanted attention, Buchmueller declined to identify a vendor that provides a software agent which sits on his company’s computers and servers looking for an intruder before that attacker can secure any data. “The first rule of having great security is not telling everybody what you do,” he says.
He also hires consultants to “stress” or attack PURE Group systems to find weaknesses. Then he meets with the ethical attackers—without his internal IT people in the room. “That way, we can get the kind of candor we need and know we aren’t kidding ourselves about how our internal team is doing,” he explains.
One decision that any CEO faces in seeking external help is whether to hire a neutral third party, such as PwC (the former PricewaterhouseCoopers) or a company that offers cybersecurity
products and services. “We provide a level of objectivity because we do not have products to sell—some CEOs find that valuable,” says Quentin Orr, head of PwC’s cybersecurity practice,
based in Philadelphia. “The perspective we’re offering is not tied to any one product.”
Often, says Orr, smaller companies have an IT executive who wears multiple hats and tries to do the best possible security job, but lacks the necessary training and resources. “We often find a sleepy IT staff that’s been in place for many years,” he says. “They have a mentality of just trying to keep the lights on.”
This can backfire in a big way. For example, after a small healthcare information company suffered a breach, it became clear the company had mishandled sensitive information belonging to its two largest customers, presumably hospitals or physician groups. The firm had a contractual obligation to notify the customers of the breach—and both terminated their relationships with the smaller firm, forcing it to declare bankruptcy.
“If you’re a small company handling the data of big companies, they are not going to cut you any slack,” Orr warns. “They want you to step up to their level.”