You are the weakest link
Data breaches pose risk for financial and reputational damage
SECURITY IS ONE WORD every South African company knows well. Be it physical security or data security, the need to protect a company’s assets against external threats is of vital importance. However, recent research indicates the biggest threat to security continues to come from inside the company. A study released earlier this month by international security vendor RSA indicated more than half of the 417 people polled were working around security policies in order to do their jobs.
That indicates although companies have taken steps to put the correct IT policies in place (and, the survey shows, more than 90% of respondents were familiar with their IT security policies) they were deliberately being ignored in order to improve productivity. The simplest example of that sort of breach highlighted by the survey was employees sending company information to their home email addresses so they could work on it after hours.
The trouble is security breaches of that kind remove possibly sensitive information from under the protective umbrella a strong corporate IT policy creates and exposes the company to risk. Because home computers aren’t subject to the same enforced anti-virus and systems update policies as those found in companies, they’re likelier to be compromised by spyware and other malicious bits of software.
And home computers aren’t protected by the same levels of perimeter defence as those in companies, making it easier for those with less than honest intentions to compromise the security of those systems.
Also highlighted as risky behaviour was the tendency of employees to access their work emails from a public computer or using a public WiFi hotspot.
The question is whether increased security is worth the cost to the bottom line. A report released by Verizon Business earlier this year (which analysed a large number of data breaches) concluded that adopting a one size fits all approach to IT security is rarely successful in deterring attackers.
The report isolated attacks against companies in financial services, hi-tech services, retail and food and beverages fields and analysed the style of attacks against those sectors that resulted in data loss. “Good security doesn’t lend itself to a cookiecutter approach,” said Peter Tippett, vice-president of research and intelligence at Verizon Business Security Solutions. He said understanding breaches was vital, not only to protect data but also to protect the reputation of the company concerned.
That link between security and reputation is backed by Ernst & Young’s 2008 Global Information Security Survey. It polled more than 1 000 senior executives in more than 50 countries. The survey indicated most executives felt the impact of a security incident would do greater harm to the company’s brand and reputation than it would to its bottom line.
Paul van Kessel, head of Ernst & Young’s technology and security risk services, says while a strong brand can take years to build, the trust that’s established between the client and the company can be destroyed by a single security breach.
However, according to Yvette du Toit, manager for risk advisory services at Ernst & Young, the potential in SA for real financial loss was much higher than in other parts of the world. “While reputational risk is an absolute given, there’s a preponderance of incidents where fraud or corruption related to security breaches results in actual losses, rather than the more intangible consequence of reputational damage,” she says.
The Ernst & Young survey also highlighted the importance of the human element in ensuring proper IT security. “It’s not enough to simply fund further technical solutions, such as encryption. It’s the people who are often the ‘weakest link’ – with 50% of respondents citing awareness within their organisation as the most significant challenge to information security,” said Van Kessel.
The final leg to any security solution is ensuring all parties that have access to confidential information are using the same level of security. Many companies currently outsource components of their businesses to third parties. The Ernst & Young survey reported only 45% of respondents included specific IT security requirements in their contracts with outside organisations and one-third didn’t review or assess how contractors were protecting their information.
Any slip on the part of such partners could provide those looking for a back door into a company with the perfect opportunity to gain access to sensitive information, which could result in both reputational and financial damage to the brand concerned.
High potential for financial losses. Yvette du Toit