Part 1: Cyber Security Awareness Month Series
It’s natural to think of corporate security and business privacy risks as just part of doing business — in fact, it would be irrational not to. Whether it’s a valuable piece of proprietary information, a customer order or a routine email, any electronic data is potentially vulnerable to hackers. Most organizations do their best to calculate the danger hackers and insiders pose to enterprise data security, and remediate in proportion to perceived risk.
But the damage caused by compromised corporate security is hard to predict, and easy to underestimate. For small organizations, severe breaches can be fatal, and even for large companies, there can be long-term financial impacts beyond initial expenses like remediation costs and compliance penalties. But for individuals whose reputations are compromised in a breach, the consequences can last for decades. In the first of a three-part series on corporate security for beginners, we explore the long-term costs of breaches.
Effective Corporate Security Policy Isn’t Treated as a Priority
These days, everyone is concerned about corporate security. A recent survey of 400 financial execs found that 57% viewed internal controls, data infiltration or cyber security as their biggest compliance concern. By contrast, only 20% focused on tax compliance and 17% stressed future regulatory mandates — the top concerns only a year before.
But that concern hasn’t translated into action. 51% of executives conduct one security training or less per year. Among small business owners, the number jumps to 78%. In fact, a full 28% of small business owners have never trained employees in data security or legal security requirements. With those stats, it’s no wonder everyone is worried.
The Costs of Corporate Security Incidents are Growing
Between loss of intellectual property, compliance penalties, remediation costs, possible litigation and decreased investor confidence, breaches can be tremendously damaging. According to Ponemon Institute’s global 2016 Cost of Data Breach Study, the average cost of a data breach has reached $4 million — a 29% increase since 2013.
There’s a good chance that costs will continue to increase, as regulatory bodies impose stricter compliance penalties. For HIPAA privacy violations, it’s not unusual for organizations to pay $4 million in settlement costs alone, and CFPB compliance violations and other industry-specific penalties are growing as well.
Larger companies are usually able to weather breaches of business privacy, but for SMBs a major corporate security lapse can be devastating. In a large, diversified organization, a large breach may affect only one division of the company, leaving the data (and reputation) of other branches untouched. For a smaller organization, however, the same breach could have devastating consequences.
Corporate Security Breaches Can Wreck Your Reputation
Often the biggest cost of a corporate security breach is paid not by the organization itself, but by the people who run or work for that organization. Reputation damage from breaches is unpredictable, and difficult to quantify. Many factors can affect how a breach harms individual reputations, and whose head the blame falls on, including:
- Severity of the breach
- Press coverage
- Political and regulatory climate
- Corporate culture
- Personal responsibility
- Past reputation or controversies
The effect is often most severe and widespread when a corporate security breach reveals controversial activities in an organization. The recent Panama Papers leaks, for example, probably won’t just hurt the reputations of the founders of Mossack Fonseca — they’ll harm anyone associated with the law firm. Even for employees who were not responsible for any wrongdoing, having the name of that particular firm on a resume could undermine future employment opportunities.
Poor corporate security can also enable ideologically-driven hackers to worsen an organization’s PR problems or undermine a current program. The 2016 DNC hacks were particularly damaging because they were released when the party was already under substantial criticism for its perceived partisanship in the Democratic presidential primary. Additionally, the DNC wasn’t using email security best practices, which could have limited the extent of the breach. The leak was also timed to coincide with the party’s primary to maximize the negative publicity.
Corporate security breaches can wreak havoc on your personal reputation even if your organization hasn’t engaged in any controversial activities. If malicious hackers breach your email security and gain control of your account, for example, they’ll gain control over your online persona as well.
They could use this power to send fraudulent messages to business associates, extorting money or infecting their accounts. They could betray your clients trust by leaking or defacing confidential data. They can even make controversial statements in your name, or reveal personal secrets. In short, they can do irreparable harm to your professional network and destroy goodwill and alliances that took years to build.
It’s Easier to Fix Your Corporate Security than Your Reputation
Bad press and popular outrage are hard to predict, and even harder to get rid of. In some cases, even the attempt to clean up your image after a corporate security incident can cause more controversy. The 2011 UC Davis pepper spray incident wasn’t a hack, but it makes a good case study in how difficult reputation management can be after a controversial event. In the incident, college police generated national controversy by spraying peaceful protesters with pepper spray. When it was revealed five years later that the university had hired a PR firm to improve its online reputation using public funds, it caused a whole new controversy. Long after the news cycle had moved on and public outrage had died down, the organization’s effort to fix its reputation was still harming it.
The personal reputation damage caused by corporate security incidents can be just as unpredictable, and just as difficult to fix. The 2014 Sony email hack revealed controversial emails from executives, badmouthing stars and other major figures in the entertainment industry. It’s easy to take issue with the content of some of the emails, but it brings up an uncomfortable truth — we all say things that could irreparably damage us if they were publicly revealed.
Ask yourself: if your unencrypted emails were leaked by a hacker, who would they alienate? What could you do about it? Would apologizing make things right, or would there be lasting damage to personal and professional relationships? What would the consequences be for your career or your friendships? For most people, the answers to these questions aren’t pleasant.
Fixing Corporate Security and Beefing Up Your Business Privacy Isn’t as Hard as You Think
The good news is, most hacks are crimes of opportunity. By adding protections like email encryption and educating your employees in security and data loss prevention best practices, you can eliminate the most common vectors that hackers use to compromise corporate security.
But writing a new policy and adding some new cyber security tools isn’t enough. If you want to hacker-proof your organization, you need to make security part of your daily business practices, and that starts with taking a hard look at your current data security.
Stay tuned for Part 2 of our Cyber Security Awareness Month Series, when we will be covering how you can evaluate your current corporate data security protections.