You are the weak­est link

Data breaches pose risk for fi­nan­cial and rep­u­ta­tional dam­age

Finweek English Edition - - Communication & Technology -

SE­CU­RITY IS ONE WORD ev­ery South African com­pany knows well. Be it phys­i­cal se­cu­rity or data se­cu­rity, the need to pro­tect a com­pany’s as­sets against ex­ter­nal threats is of vi­tal im­por­tance. How­ever, re­cent re­search in­di­cates the big­gest threat to se­cu­rity con­tin­ues to come from in­side the com­pany. A study re­leased ear­lier this month by in­ter­na­tional se­cu­rity ven­dor RSA in­di­cated more than half of the 417 peo­ple polled were work­ing around se­cu­rity poli­cies in or­der to do their jobs.

That in­di­cates al­though com­pa­nies have taken steps to put the cor­rect IT poli­cies in place (and, the sur­vey shows, more than 90% of re­spon­dents were fa­mil­iar with their IT se­cu­rity poli­cies) they were de­lib­er­ately be­ing ig­nored in or­der to im­prove pro­duc­tiv­ity. The sim­plest ex­am­ple of that sort of breach high­lighted by the sur­vey was em­ploy­ees send­ing com­pany in­for­ma­tion to their home email ad­dresses so they could work on it af­ter hours.

The trou­ble is se­cu­rity breaches of that kind re­move pos­si­bly sen­si­tive in­for­ma­tion from un­der the pro­tec­tive um­brella a strong cor­po­rate IT pol­icy cre­ates and ex­poses the com­pany to risk. Be­cause home com­put­ers aren’t sub­ject to the same en­forced anti-virus and sys­tems up­date poli­cies as those found in com­pa­nies, they’re like­lier to be com­pro­mised by spy­ware and other ma­li­cious bits of soft­ware.

And home com­put­ers aren’t pro­tected by the same lev­els of perime­ter de­fence as those in com­pa­nies, mak­ing it eas­ier for those with less than hon­est in­ten­tions to com­pro­mise the se­cu­rity of those sys­tems.

Also high­lighted as risky be­hav­iour was the ten­dency of em­ploy­ees to ac­cess their work emails from a pub­lic com­puter or us­ing a pub­lic WiFi hotspot.

The ques­tion is whether in­creased se­cu­rity is worth the cost to the bot­tom line. A re­port re­leased by Ver­i­zon Busi­ness ear­lier this year (which an­a­lysed a large num­ber of data breaches) con­cluded that adopt­ing a one size fits all ap­proach to IT se­cu­rity is rarely suc­cess­ful in de­ter­ring at­tack­ers.

The re­port iso­lated at­tacks against com­pa­nies in fi­nan­cial ser­vices, hi-tech ser­vices, re­tail and food and bev­er­ages fields and an­a­lysed the style of at­tacks against those sec­tors that re­sulted in data loss. “Good se­cu­rity doesn’t lend it­self to a cook­iecut­ter ap­proach,” said Peter Tip­pett, vice-pres­i­dent of re­search and in­tel­li­gence at Ver­i­zon Busi­ness Se­cu­rity So­lu­tions. He said un­der­stand­ing breaches was vi­tal, not only to pro­tect data but also to pro­tect the rep­u­ta­tion of the com­pany con­cerned.

That link be­tween se­cu­rity and rep­u­ta­tion is backed by Ernst & Young’s 2008 Global In­for­ma­tion Se­cu­rity Sur­vey. It polled more than 1 000 se­nior ex­ec­u­tives in more than 50 coun­tries. The sur­vey in­di­cated most ex­ec­u­tives felt the im­pact of a se­cu­rity in­ci­dent would do greater harm to the com­pany’s brand and rep­u­ta­tion than it would to its bot­tom line.

Paul van Kes­sel, head of Ernst & Young’s tech­nol­ogy and se­cu­rity risk ser­vices, says while a strong brand can take years to build, the trust that’s es­tab­lished be­tween the client and the com­pany can be de­stroyed by a sin­gle se­cu­rity breach.

How­ever, ac­cord­ing to Yvette du Toit, man­ager for risk ad­vi­sory ser­vices at Ernst & Young, the po­ten­tial in SA for real fi­nan­cial loss was much higher than in other parts of the world. “While rep­u­ta­tional risk is an ab­so­lute given, there’s a pre­pon­der­ance of in­ci­dents where fraud or cor­rup­tion re­lated to se­cu­rity breaches re­sults in ac­tual losses, rather than the more in­tan­gi­ble con­se­quence of rep­u­ta­tional dam­age,” she says.

The Ernst & Young sur­vey also high­lighted the im­por­tance of the hu­man el­e­ment in en­sur­ing proper IT se­cu­rity. “It’s not enough to sim­ply fund fur­ther tech­ni­cal so­lu­tions, such as en­cryp­tion. It’s the peo­ple who are of­ten the ‘weak­est link’ – with 50% of re­spon­dents cit­ing aware­ness within their or­gan­i­sa­tion as the most sig­nif­i­cant chal­lenge to in­for­ma­tion se­cu­rity,” said Van Kes­sel.

The fi­nal leg to any se­cu­rity so­lu­tion is en­sur­ing all par­ties that have ac­cess to con­fi­den­tial in­for­ma­tion are us­ing the same level of se­cu­rity. Many com­pa­nies cur­rently out­source com­po­nents of their busi­nesses to third par­ties. The Ernst & Young sur­vey re­ported only 45% of re­spon­dents in­cluded spe­cific IT se­cu­rity re­quire­ments in their con­tracts with out­side or­gan­i­sa­tions and one-third didn’t re­view or as­sess how con­trac­tors were pro­tect­ing their in­for­ma­tion.

Any slip on the part of such part­ners could pro­vide those looking for a back door into a com­pany with the per­fect op­por­tu­nity to gain ac­cess to sen­si­tive in­for­ma­tion, which could re­sult in both rep­u­ta­tional and fi­nan­cial dam­age to the brand con­cerned.

High po­ten­tial for fi­nan­cial losses. Yvette du Toit

Newspapers in English

Newspapers from South Africa

© PressReader. All rights reserved.