I have worked in a few companies in the past that have had extremely frustrated IT Directors or CIOs (Chief Information Officer) because they have had staff or executives that did not understand the need for data security. By this I mean, CEOs and staff that did not understand the use of computers or CEOs and staff that did not understand the need to carefully evaluate emails and websites they opened on their work computers. The term data security was not in their vocabulary. I am going to take the easier of these first which I believe are emails and internet sites.
One organization that I worked for had an extremely intelligent developer who was not born in the United States and had a very difficult time communicating in English. He could make the software do anything we wanted but communicating to the staff was not easy for him or the staff trying to understand his directions. Thus, we ended up with many issues of staff opening up phishing emails that contained malware. This developer was not the “IT Director” but was the closest person to that job description in the company. He mainly worked with the processing applications although he was responsible for the network administration; in other words, he was overloaded. Since application processing brought in the revenue, security received the short end on the time line. It was not that this IT Director did know how to do these tasks; it was that there was only 24 hours in a day and 7 days in a week. Yes, he did work round the clock.
Thus, you could always tell when someone opened a phishing email as the groans could be heard all over the cubicle floor. The buck was passed from one staff member to the other until it ended up with me being the person calling the IT Director to repost a viral or worm intrusion since I was the Claims Manager. This would shut down all work until the IT Director could effectively deal with the problem. Sometimes it would take 15 minutes other times several hours. The one thing that never seemed to occur to the owner and his two personal confidantes was the amount of money it was costing for this to occur. I approached the COO once and explained that maybe it would be better if we hired an outside administrator to deal with these issues and to upgrade the security system. It basically got a shrug. Since it really was not in my venue, I thought it best to leave the subject alone. The security in this environment was so lax, that even the telephone system had been hacked. This occurred before my tenure with the firm. However, when it came up on discussion one day, the COO seemed not to be concerned at all. It was then I realized that security was just not a priority here. The other scary thing about this firm was that they took credit card payments over the phone. They were storing data for recurring payments after a policyholder called in, including the CCV number and they had very little security on their servers. I often wonder, if anything, this firm has done regarding security since all of the financial breaches of late. They are either a prime target or they have been hacked and just don’t know it yet.
The other organization revolved around an elderly man that started an insurance organization with no background in the business whatsoever. On top of that he had never turned on a computer much less used email. All he know was that he needed a computer system (cheap) “…because that was what you needed to run an insurance company”. Thankfully, he had hired a wonderful IT Director who did understand the need for a good system and good data security. This firm also took credit card payments where information was stored.
As the CEO/COO of the company, it was up to me to constantly explain why money needed to be spent to make certain that systems were secure and current. This is a rather difficult position to be in when the person you are dealing with does not understand the business or computers and their function. Gratefully, most of the executives you will deal with will at least know the business they are in but many of them will not realize the importance of the data security. They may have fundamental knowledge of their computer for the basic tasks such as email and Microsoft Office, but they are not quite up to understanding the damage that can be done by opening an attachment on a phishing email. After all, the email came from the bank, right? It could have been their statement or a notice that there was a problem with the account. I am certain that we have heard it all and I am not even a technical person. I was just the person that had to shut down all operations, put the emergency plan in place and get everyone on the phone to call key customers and telling them we were temporarily down and to call us if they needed assistance. Does this sound familiar? Well, if you are in this position, here are a few tips that might make a difference in your organization.
The first item I would suggest is that you make an analytical survey of time and money. In other words, get down to the basics. How much time do you spend repairing these types of problems that constantly recur because you do not have the financial wherewithal to either hire an outside network administrator or buy the products you need to stop the insanity of intrusions? Put all this down in a spreadsheet.
Also, it is not just time and money. What about the damage to the firm’s branding and reputation? Sure, you have time involved in cleaning up PCs and servers. But what about the possible loss of your intellectual property or the cost to your customer base? Look at Target. So far Target has spent $61 million in lawsuit related settlements not to mention the loss of customer base, brand loyalty, legal fees, notifications fees to customers, etc. The Ponemon Institute does a yearly study and just published their 2014 study. It can be found on the IBM Global Website. This study takes 10 or 11 countries and shows the average cost of a data breach. Naturally the US has the highest cost per item because of our disclosure laws. The notifications fees are staggering. This alone can bankrupt a firm. Will they survive? Only time will tell the final outcome of Target.
Okay, so now you have brainstormed all of these money eaters and you have quantified the costs. If you need help, go see personnel in your accounting department. Your CFO could turn out to be one of your greatest supporters. He or one of his staff can help you put figures to the more elusive items like the loss of customer base etc. Make certain that you have hard numbers. Break your presentation down into two parts; the part where time and expense are involved and the part where your elusive items are listed. The executive will be able to see what cash is flowing out of the company’s coffers right now compared to what could occur in the event of a major cyber breach. This should make him take notice. A CEO cares about one major goal – profit to his partners or his shareholders. If you can show him the cost of placing security on your data is a risk vs. reward item and that the risk is too great to not put security in place you will have his attention. Make him understand the necessity of training to all personnel including the C-level executive. We are all prone to make mistakes and open items or send items we should not. Training of staff cannot be underestimated and there can never be enough. Point out that the CEO and CIO of Target did not lose their jobs because of what they did but for what they did NOT do. This is also an opportunity to implement an Acceptable Use Policy. If you do not know how to compose a policy like this, stay tuned to our links as I will be doing an article on this in the very near future.
Now is the time to present this issue. There is so much in the media everyday about cyber-attacks, your firm management would almost have to be living with blinders to not know about it.
I hope that this article made you think about this subject and moves you to take action if your firm is in this position.
Remember: Avoiding the disaster its cheaper than repairing it!