For the most part, your senior management understands the necessity of running a secure company, reports Angela Moscaritolo.
When a barrage of distributed denial-of-service attacks affected online advertising company Direct Agents earlier this year, CEO Josh Boaz (left) found himself dealing with something that, until then, was low on his awareness list: the risk of cybercrime.
The attack, aimed at one of the company's service providers, crippled Direct Agents' network, preventing the New York-based firm from delivering advertisements. As a result, business faltered for several days.
Since Direct Agents opened in 2003 with just three employees, the popularity of online ads has skyrocketed, allowing the company to greatly expand its personnel roster, but also making the business a bull's-eye for hackers.
“Security has not always been at the forefront,” Boaz says. “For a small company, we never thought we could be a target.”
But they were. And Boaz, as the company's leader, recognized that it was up to him to highlight the importance of investing in digital protection.
Even at small companies, information security is on the minds of CEOs more and more in this age when data breaches and cyberattacks regularly make their way into the public eye. While in the past, information security was the responsibility of one department, today it's being integrated into the very fabric of business at many organizations, says Jon Gossels (right), president and CEO of IT security consultancy SystemExperts.
“Gone are the days when information security was solely confined to the trenches of the IT department,” agrees Pat Clawson (left), chairman and CEO of vulnerability management vendor Lumension.
Trickle down effect
For CEOs, this requires running a company that can protect its customer and employee information and safeguard its
own intellectual property. Also, CEOs increasingly face pressure from their boards to ensure information is being safeguarded, Gossels says. Boards are holding senior management accountable.
This holds true for Gregory Mils (right), president and CEO of Colorado-based Aventa Credit Union, which has 54 employees and an IT staff of four.
Mills says information security is an essential business need that goes hand-in-hand with being financially secure. “Being financially safe and sound – that's a no-brainer for a financial institution,” Mills says. “But we also need to make sure we are all responsible for maintaining the security of member information.”
Mills says that Aventa Credit Union's board has helped make information security a priority by including it in the company's business plan. “Technology enhancements and security is part of a directive from my board,” Mills says.
CEOs understand the importance of information security, but there are some who still do not believe it is an essential business need, according to an SC Magazine/CompTIA survey of 100 CEOs released last November. In the survey, 68 percent of CEOs said they believe that information security is an absolute necessity to protect a company's data. Seventeen percent, however, said it is a desirable, but optional investment, while another 15 percent said information security isn't important at all.
Still, compared to the findings of the 2004 Ernst & Young Global Information Security Survey, in which a mere
20 percent of respondents strongly agreed that information security was a CEO-level priority, it seems that information security is gaining more support today from top-level executives than it has in the past.
A majority of CEOs at large organizations understand the importance of information security and are spending money and allocating resources to deal with it appropriately, Gossels says.
Kevin Lowdermilk (left), CEO of Exostar, which provides collaboration solutions to the aerospace and defense industries, concurs. “It's definitely more on the forefront today than it has been,” he says.
Many small companies, however, don't even have full-time IT staff, so information security often is not as high up on the CEO's priority list. It's likely that top executives of small businesses are currently more focused on trying to survive the economic downturn than on information security endeavors, says Bob Carr (right), chairman and CEO of payment card processing firm Heartland Payment Systems.
But, as Boaz learned, nearly every company – even one with just 35 employees – can be the target of a cyberattack. The recent attacks that Direct Agents suffered have ratcheted up Boaz's awareness of the importance of information and cybersecurity, he says. “We don't want to have a situation where any of out clients' data is breached.”
While CEOs might be keen on the dangers of cyberthreats, they are often more confident than perhaps they should be about their organization's ability to prevent data breaches, according to a study released in July by the Ponemon Institute and software security vendor Ounce Labs. In addition, CEOs are often less aware of data breaches that have occurred, the study found.
“For the modern enterprise, information security has become a hot-button issue, especially following some very high profile data breaches that resulted in millions of dollars in fines and major damage to their corporate brand,” Lumension's Clawson says.
One incident that illustrated the necessity of information security for many CEOs was the 2006 theft of a laptop from the home of a U.S. Department of Veteran Affairs employee, says Todd Fitzgerald (left), senior technical compliance adviser at National Government Services, an organization that administers Medicare contracts and processes claims. The personal information of some 26.5 million veterans and active military personnel was breached.
“That particular incident could have happened to a lot of companies,” he adds. “The scale of the loss caught the public attention, and a lot of CEOs around the country paid attention to that and didn't want that to happen to their own organizations.”
Big company, big risks
More recently, it was revealed that Carr's 3,000-employee Heartland Payment Systems suffered what is believed to be the worst breach ever reported, with some estimating that hundreds of millions of credit card numbers were stolen. The Heartland breach – which has so far resulted in 28 class-action lawsuits filed against the company, more than $12 million in losses and a near-immediate 50 percent drop in Heartland's share price, not to mention negative publicity – also serves as a signal for those still oblivious to the importance of information security.
“I would think fewer and fewer CEOs are [ignoring information security] at this point,” Carr says.
Despite the breach, security has always been the number one priority for Heartland's 325-person IT department, which boasts 15 full-time security employees, Carr says. At Heartland, information security funding is driven by the desire to prevent another breach and Carr adds that he doesn't remember a time when he turned down a request from his security team for a capital expenditure on information security. In addition, Carr says he believes security can provide added incentives.
“Businesses that take credit cards, if they can reduce their risk of being compromised, it is a return on investment,” Carr says.
Aventa Credit Systems' Mills agrees, noting, “The cost of avoiding a data breach is worth its weight in gold.”