Hidden Profits Blog

In my last blog post I discussed the importance of evaluating risk of cyber crime in business and 5 steps to protect your company.  Well in the news in the last couple of weeks are 2 high profile examples of cyber crime and the affects to the victim firms’ reputation and profitability. 

The first was last week when BP (British Petroleum) announced that an employee had lost a laptop that contained social security numbers for victims of the BP oil spill that had been reimbursed by the company.  This is an example of the first type of breach I discussed in my previous post.  The laptop contained data that had either been downloaded from corporate systems to the laptop or had simply been created on the laptop using desktop software.  This was completely avoidable and has cost BP not only financially but also another hit to their already shaky reputation.  Today files with critical information do not need to be stored on laptops or workstations for employees to have access to them.  In a major corporation like BP, these files should have been maintained on a corporate secure server.  Other options are to maintain the files on outsourced secure servers.

The second was this past weekend when the Epsilon data servers were hacked and client information from a host of major corporations was compromised.  The good news is that it appears that the only information that was exposed was client names and email addresses.  How this was done is not yet known, however, it is one of those situations that may not have been easily prevented.  One scenario is that the data files may not have been as secure as they could have been because the data was not considered critical.  The Epsilon client corporations that were affected took adequate precautions by only providing customer name and email information to Epsilon.  While that information can lead to more details about a customer it will require additional work to obtain that information.  The big risk in this scenario is that the end customers could begin to receive pshing emails in which the perpetrators are seeking the additional identity information required directly from the consumer. 

Even though limited personal information was obtained, this will still cost numerous corporations significantly.  First Epsilon’s reputation is severely impaired and the company may lose significant revenue from this incident not to mention the cost of notification.  The victim companies involved which include Citibank, Capital One, Walgreens, will probably spend millions in notification and corrective action to protect their customers.

Senior executives and board members, this is a critical issue.  Security should be re-evaluated in all companies.  If you would like to discuss your security in more detail please contact me at 818-709-683.  Here is the link to my previous post www.hiddenprofitsblog.com/5-steps-to-protect-your-company-from-cyber-crime

My friend Alex Auerbach who owns the PR firm, Alexander Auerbach & Co Public Relations, and is a member of the board of directors of a public company forwarded an article to me from Boardmember.com about Cyber Risk. and why corporate board members should be concerned about it.  The article addresses a couple of types of cyber crime and the general lack of attention paid to cyber crime by corporate boards and executive management.

The article discusses the 2 main areas of cyber crime

1. Theft of customer and employee information for the purpose of identity theft
2. Cyber corporate espionage for the purpose of obtaining competitive information and harming the firm’s revenue, profit and reputation

Both of these crimes are the result of individuals outside the organization hacking into the company’s computer systems to obtain the desired information.  As mentioned in the article the first type of cyber crime, theft of customer information, is generally a one-time problem in which the company is hacked and the data stolen, however it can happen multiple times.  The second type tends to be more ongoing in nature.

In addition, companies also need to guard against theft of data by internal employees,  The internal employees do not necessarily need to be IT employees.  With today’s sophisticated communications, offsite workforce and IT savvy employees it is more important than ever that additional precautions are taken to protect corporate data.

As the article mentions, the majority of executives and board members do not give much thought to cyber crime, although that is slowly changing.  Some of the reasons it is not on the radar for executives are:

1.  They assume the IT department will take care of it.

      While it is true that all good IT managers today address the basics, frequently that is not adequate and there are holes in security that are not obvious.  While a majority of software systems will encrypt data generally recognized as critical such as customer credit card numbers and employee SSN,  there may be data in systems that are critical to your company that are not generally considered critical in nature.  Also many in-house developed applications are not designed to encrypt data on the data bases.  Finally, if data is extracted from systems and stored in an employee’s spreadsheet or Access file it will not be encrypted and usually not even password protected. 

2.  They feel there is not much risk because no one would be interested in their data.

Cyber criminals are getting more and more sophisticated and as larger companies secure their systems and data better, smaller mid-market companies become easier targets,  Also all companies have competitors and in today’s marketplace many are becoming more willing to pay for competitive intelligence.  This is the biggest risk from internal employees because they have a greater understanding of what data is important.

3.  They are unaware of the growing magnitude of the risk and potential cost of loss

Cyber criminals have become more sophisticated and the rewards have become greater thus increasing the likelihood that any  company can be a victim.  With new laws regarding notification of breaches in customer and employee data, the administrative costs of a cyber crime are high.  However, even at the high cost of reporting the potential for loss from corporate espionage is even greater.  What would the cost to your company be if key product secrets or strategies were made known to competitors or to the public? 

So as executives and board members begin to put cyber crime on their radar, what can be done about it?  Just like any other type of crime cyber crime cannot be completely prevented, however, there are several steps that can be taken to reduce your chances of being the victim of cyber crime and increase your cyber security. 

1. Identify the most critical corporate data and focus on securing that data. For example whatever is unique about your business, provides a competitive advantage or represents a large R&D investment should be protected in systems. 
2. Perform an independent security assessment annually to identify risk levels.  Many companies feel they are adequately protected yet have lapses in security.  An independent audit by a cyber security firm can identify those lapses.  Secure the breaches that represent the biggest potential threat.
3. Purchase insurance to protect the company and limit liability for any breach.  Majority of insurance companies today provide policies to protect against cyber crime.  This is just as important today as standard property and casualty insurance. 
4. Perform background searches on all employees with access to critical data. 
5. Include IT executive representation on board of directors.  The inclusion of a CIO/CTO as either a member or advisor to the board will bring understanding of cyber security options to that body. 

Boardroom.com article ‘Is Your Company Prepared for Cyber Risk?’

Alexander Auerbach & Company