Firewall of Silence

When Société Générale revealed in January that it had lost more than $7 billion due to fraudulent trading activity, most of the headlines focused on "rogue trader" Jerome Kerviel, framing him either as a criminal or a reckless striver. His "perp walk" was eagerly anticipated by a horde of cameramen and his image was plastered on publications and Websites around the world.

Only later did questions emerge about the bank's role as an enabler, and even then scant attention was paid to the exact manner in which the bank's processes may have been at fault.

In truth, much of the blame can be traced to poor security, and in that sense the intense coverage of Société Générale joins a long parade of stories devoted to identity theft, computer hacking, and data breaches of all kinds. Despite all that attention, in many respects computer security remains the corporate risk that dares not speak its name. CFOs in particular seem loath to discuss it publicly even when they admit privately that it's a major concern.

Your Data Is in the Mail — Literally
Perhaps they are wise to stay mum. Since January 2005, the Privacy Rights Clearinghouse has chronicled nearly 1,000 breaches totaling nearly 220 million electronic records (the actual number is much higher because in many cases the number of records lost, stolen, or otherwise at risk is unknown). In February alone, organizations as various as the Diocese of Providence, Long Island University, Tenet Healthcare, Lexmark International, and a Marine Corps base in Japan saw data compromised due to vulnerabilities that range from the predictable to the ridiculous: lost or stolen laptops, hard drives, and jump drives; malicious and recreational hacking; the actions of vengeful ex-employees; computers left unattended and subsequently used by unknown parties; even poorly glued envelopes that spilled their contents into the mail stream, thus exposing college students' Social Security numbers and other personal information to…well, who knows?

To date, the uncertainty over what exactly happens to misplaced or flagrantly misappropriated information has been the only bright spot for companies regarding computer security. Because plaintiffs have been unable to prove what, if any, damage resulted from their information falling into the wrong hands, their lawsuits have usually been tossed out of court.

That's not to say that companies aren't paying a price. Khalid Kark, an analyst at Forrester Research, estimates that companies pay $90 to $305 per record every time they must react to a breach. Given that a large company may see millions of customer records affected, the total tab could run into the millions or even billions of dollars.

Kark's cost-per-record figure comprises up to seven separate expenses. Nearly all companies can expect to pay about $50 per record for discovery and notification, a sort of baseline response that entails alerting legal counsel, informing customers (which 39 states now require companies to do), absorbing additional call-center volume, and possibly extending special offers or other perks as a peace offering. If a company agrees to pay for a credit-monitoring service, that can add about $30 per customer. Lost productivity, the impact of customer attrition, and the costs of meeting additionally imposed security and audit requirements (more common for companies in highly regulated industries) can add $40 to $150 per record. And fines imposed by the Federal Trade Commission or other agencies, plus other potential court-mandated costs such as restitution (rare to date, although ChoicePoint had to pay $5 million, or $30 per record) add up to another $115 per record.

In short, the fact that plaintiffs have been sent packing comes as scant consolation given the number of regulatory and industry bodies (notably in the payment-card industry) that can levy penalties. Christopher Wolf, a Washington, D.C.-based partner with law firm Proskauer Rose who works extensively on computer-security matters, says that highly publicized data breaches have had some impact, but not enough. "Many companies now 'get it,'" he says, "but far too many others have yet to get their arms around security. And they won't until C-suite leadership makes it a priority."

Even though computer breaches now carry a much more quantifiable price tag than in years past, that seems to have done little to galvanize senior executives. A recent survey conducted by The Ponemon Institute, although limited to one form of security, serves as a useful proxy for prevailing attitudes. Asked whether senior management regards access management — a term that describes the governance procedures surrounding which employees have access to what types of information — as important, 74 percent of the nearly 700 IT and security personnel who responded said no. A majority (57 percent) also said that much-needed collaboration across business units, audit/compliance departments, and IT departments is not being achieved.

Access management may sound arcane, but in truth it's a simple concept that often lies at the heart of security breaches. At Société Générale, for example, "it was a classic case of an employee changing roles," says Brian Cleary, vice president of marketing for Aveksa, which sells access-management software. "Kerviel moved from a back-office job to a front-office position, and brought all his former access rights with him." As Scott Crawford, leader of the security and risk-management practice at analyst firm Enterprise Management Associates, puts it, that allowed him to "manipulate IT systems, with worldwide repercussions."

• 1
• 2
• next »