IT security in the early 1990's was relatively simple. Data was stored on mainframes, access control was limited and the need to share data was very limited. Today the rules have changed. More data must be shared, access to data is required from almost anywhere and the need to secure that data has grown through regulation and legislation. The user population is much more technical now, and the internet boom has enabled an increasing number of people to cause more trouble than ever. Most organizations acknowledge that the impact of a security breach to the business results in financial expense.
It's going to cost how much?
Firstly, there are the direct and easily correlated costs such as replacing any lost or stolen devices; investing in, or strengthening existing IT security; and if necessary strengthening the building's physical security.
In August 2007, Monster had to take action when it discovered that con artists had mined contact information from resumes of 1.3 million people, and possibly many more -- Monster has since confirmed that this was not an isolated incident. Files were stolen not only from Monster.com but from USAJobs.gov, the federal-government career-listing service operated by Monster. Monster has said it will have to spend at least $80 million on upgrades to its site, which will include security changes such as closer monitoring of the site and limits on the way data can be accessed.
It doesn't stop there
Some costs are harder to pin down, including the cost of contacting those whose records may have been exposed. Cost can include credit monitoring for those affected, and even the possibility of subsequent legal action taken by people who have suffered a financial loss as a result of their records being exploited.
Customer lawsuits can cause serious headaches for businesses that go far beyond reputation-slaying negative headlines. Aside from the actual monetary damages, lawsuits often leave companies on the hook for additional training and systems upgrades.
In the case of TJ Maxx's massive security breach recently solved, all affected customers were offered credit monitoring at company expense. Additionally the company disclosed that it has agreed to pay up to $24 million in a settlement with MasterCard. It also confirmed that it had to budget for various litigation and claims that have been, or may be, asserted against it or providing restitution on behalf of customers, banks, and/or card companies seeking damages allegedly arising out of the computer intrusion.
It runs deeper still
So what other concealed costs are there? There is bound to be an impact on share price, even if only temporarily, as stakeholders react to the news.
There is the lost marketing investment when a brand is damaged. This is closely followed by the recovery costs in the form of future/increased marketing budgets to regain market position, rebuild reputation, etc. Imagine the continuing damage if the company's communications can no longer be trusted. IKEA fell victim earlier this year when a hole in its website security allowed hackers and phishers access to its “contact IKEA” function enabling them to send bulk outbound mail via IKEA's email servers. The potential damage to the company's reputation and possibility of email blacklisting could be significant.
There could even be the risk of employee's jumping ship as internal morale dives when they feel their loyalty is compromised if the company they work for makes headline news for the wrong reasons. Filling vacancies is a costly exercise.
Information assurance is business critical and for many organizations, the data they own is their key asset, so why are so many failing to treat it as such? Failing to do so opens the corporate purse with no guarantee that it will ever be closed again. TJ Maxx itself summed it up when it said in its statement: “…we do not have enough information to reasonably estimate losses we may incur arising from the computer intrusion.”
Top ten tips on preventing a breach
1. Management sets the tone for their organisations by their own behavior. As such, good information practices are obligatory for all stakeholders, not just employees.
2. Be proactive – management should deal with information assurance issues proactively, rather than reactively as information assurance is far more cost effective in a preventative rather than a remedial context.
3. Information assurance is a business issue, not something extra for IT to handle. IT simply does not have the resources and/or authority to drive information assurance best practices through their organizations.
4. Understand that information assurance is an ongoing process, not an annual event just before the auditors arrive.
5. Information assurance is everyone's job and as such investments in training and awareness programs for all employees are critical.
6. Management should set out the company's expectations with respect to information assurance in clear, accessible policies.
7. The process for dealing with information security incidents should be defined in straightforward and unambiguous procedures.
8. Investments need to be made in technology that will result in the secure transport and processing of information by the company's information technology assets.
9. Suitable best practices should be identified and implemented rather than ad hoc approaches.
10. Expert advice should be sought and used at all times to advise and oversee efforts in respect to information assurance from an experienced and objective third-party perspective.