With cyber security threats on the rise across the globe, businesses are beginning to pay attention to how data security compromises will adversely affect their bottom line.
Breaches can come in many forms, committed for a variety of reasons. Activist hackers may attack a network of a company or industry with the intent to embarrass or expose, with no desire for corporate espionage or to commit additional criminal acts. Public confidence in their target, say, a hospital or clinic, will be significantly eroded when its patient lists are posted on the Internet.
The threat the US government is most focused on comes from foreign intelligence agencies. During my time at the Pentagon, our systems were under attack for weeks by an unknown adversary. And just last month, the Justice Department charged several Chinese military officers with hacking systems in the United States, with more cases in the works involving attacks originating from Russia, Syria, and Iran. No matter what the target, foreign nations show no sign of slowing down the pace of intrusive attacks, both on national security and business targets.
The liability exposure to such data breaches is becoming more severe. Even when the company “wins” it only does so after suffering great financial and reputational loss. For example, the Eisenhower Medical Center spent over three years in court before a judge determined that there was no medical information attached to the data set of a half a million patients that had been stolen. At $1,000 liability per patient, Eisenhower was facing a half a billion-dollar loss in court, and the case is expected to be appealed. Had a simple cyber security review been implemented before the theft, that file would have been encrypted. Such a simple policy of recurring security reviews can reduce or perhaps eliminate entirely a potential liability.
Even in a best case scenario, a data breach could trigger an obligation to notify the individuals whose data was compromised. Depending on the number of people involved and the age of the records, the cost of a straightforward-sounding notification could cost millions in addition to reputational damage.
Insider threats pose even greater jeopardy. While suits stemming from typical criminal attacks can focus on the company failing to protect from an outside threat, there is zero sympathy from consumers, the public, or a jury when the breach comes from inside. And intentional insider attacks by knowledgeable employees can be especially crippling. The United States Secret Service investigated a breach at EnerVest, an oil and gas company, which was paralyzed for an entire month in 2012 and permanently lost their backup data. The Secret Service ultimately charged a company network engineer – who now awaits sentencing.
And companies are seeing this in financial terms outside of the court as well. In a 2011 study that examined data breaches across various industries over a ten-year period, researchers concluded there were abnormal negative stock market price returns following the announcement of a breach. Contrary to many “bad news” incidences that blow over after a few days, the research shows persistent negative returns over several years for these breached companies.
The most interesting finding of the study was that it found that the market punished companies the harshest if the attack could have been avoided with reasonable precautions – likely a sign of no confidence in that company’s leadership.
To counter these increasing threats, companies need to shift their cyber security focus. Many companies place the cyber security responsibility in IT or even an in-house corporate security office. But companies may wish to change this thinking, for example placing cyber security responsibilities for their financial records with the individual who has traditionally been responsible for them: the Chief Financial Officer.
Aside from protecting the financial records themselves, there is a training aspect to cyber security beyond just technical efforts. For example, every company should train their executives and employees in some simple measures, such as throwing away any free flash drives given to them at trade shows. Such attention to human behavior is the strong suit of neither IT nor Human Resources, but can help avoid wholly unnecessary breaches that can threaten the financial soundness of the company or organization.
The increasing damage caused by cyber attacks – to the reputation of the company, to the perceived competence of its executives, and the company’s financial health – are a warning to American businesses of all sizes to take measures now or suffer the consequences of an inevitable breach later.