Print this article | Return to Article | Return to CFO.com
Data security breaches are rampant, and costly. So why don't C-level executives talk about them?
Scott Leibs, CFO Magazine
April 1, 2008
When Société Générale revealed in January that it had lost more than $7 billion due to fraudulent trading activity, most of the headlines focused on "rogue trader" Jerome Kerviel, framing him either as a criminal or a reckless striver. His "perp walk" was eagerly anticipated by a horde of cameramen and his image was plastered on publications and Websites around the world.
Only later did questions emerge about the bank's role as an enabler, and even then scant attention was paid to the exact manner in which the bank's processes may have been at fault.
In truth, much of the blame can be traced to poor security, and in that sense the intense coverage of Société Générale joins a long parade of stories devoted to identity theft, computer hacking, and data breaches of all kinds. Despite all that attention, in many respects computer security remains the corporate risk that dares not speak its name. CFOs in particular seem loath to discuss it publicly even when they admit privately that it's a major concern.
Your Data Is in the Mail — Literally
Perhaps they are wise to stay mum. Since January 2005, the Privacy Rights Clearinghouse has chronicled nearly 1,000 breaches totaling nearly 220 million electronic records (the actual number is much higher because in many cases the number of records lost, stolen, or otherwise at risk is unknown). In February alone, organizations as various as the Diocese of Providence, Long Island University, Tenet Healthcare, Lexmark International, and a Marine Corps base in Japan saw data compromised due to vulnerabilities that range from the predictable to the ridiculous: lost or stolen laptops, hard drives, and jump drives; malicious and recreational hacking; the actions of vengeful ex-employees; computers left unattended and subsequently used by unknown parties; even poorly glued envelopes that spilled their contents into the mail stream, thus exposing college students' Social Security numbers and other personal information to…well, who knows?
To date, the uncertainty over what exactly happens to misplaced or flagrantly misappropriated information has been the only bright spot for companies regarding computer security. Because plaintiffs have been unable to prove what, if any, damage resulted from their information falling into the wrong hands, their lawsuits have usually been tossed out of court.
That's not to say that companies aren't paying a price. Khalid Kark, an analyst at Forrester Research, estimates that companies pay $90 to $305 per record every time they must react to a breach. Given that a large company may see millions of customer records affected, the total tab could run into the millions or even billions of dollars.
Kark's cost-per-record figure comprises up to seven separate expenses. Nearly all companies can expect to pay about $50 per record for discovery and notification, a sort of baseline response that entails alerting legal counsel, informing customers (which 39 states now require companies to do), absorbing additional call-center volume, and possibly extending special offers or other perks as a peace offering. If a company agrees to pay for a credit-monitoring service, that can add about $30 per customer. Lost productivity, the impact of customer attrition, and the costs of meeting additionally imposed security and audit requirements (more common for companies in highly regulated industries) can add $40 to $150 per record. And fines imposed by the Federal Trade Commission or other agencies, plus other potential court-mandated costs such as restitution (rare to date, although ChoicePoint had to pay $5 million, or $30 per record) add up to another $115 per record.
In short, the fact that plaintiffs have been sent packing comes as scant consolation given the number of regulatory and industry bodies (notably in the payment-card industry) that can levy penalties. Christopher Wolf, a Washington, D.C.-based partner with law firm Proskauer Rose who works extensively on computer-security matters, says that highly publicized data breaches have had some impact, but not enough. "Many companies now 'get it,'" he says, "but far too many others have yet to get their arms around security. And they won't until C-suite leadership makes it a priority."
Even though computer breaches now carry a much more quantifiable price tag than in years past, that seems to have done little to galvanize senior executives. A recent survey conducted by The Ponemon Institute, although limited to one form of security, serves as a useful proxy for prevailing attitudes. Asked whether senior management regards access management — a term that describes the governance procedures surrounding which employees have access to what types of information — as important, 74 percent of the nearly 700 IT and security personnel who responded said no. A majority (57 percent) also said that much-needed collaboration across business units, audit/compliance departments, and IT departments is not being achieved.
Access management may sound arcane, but in truth it's a simple concept that often lies at the heart of security breaches. At Société Générale, for example, "it was a classic case of an employee changing roles," says Brian Cleary, vice president of marketing for Aveksa, which sells access-management software. "Kerviel moved from a back-office job to a front-office position, and brought all his former access rights with him." As Scott Crawford, leader of the security and risk-management practice at analyst firm Enterprise Management Associates, puts it, that allowed him to "manipulate IT systems, with worldwide repercussions."
Larry Ponemon, chairman and founder of The Ponemon Institute, a research firm specializing in privacy and security issues, says that if nothing else, the massive losses suffered by SocGen "have focused companies on who the 'bad guy' might really be."
To date, Ponemon says, companies have aimed most of their efforts at external threats — "hardening the perimeter," in security parlance. "In part that's because hacking attacks can be measured," Ponemon says, "so repelling them becomes a source of pride for information-security professionals."
The demands of the Sarbanes-Oxley Act have forced companies to think more broadly about access rights and related procedures that govern who can tap what sources of information.
By better controlling access rights, companies can limit employee access to information. Such control takes two forms: software vendors including IBM, Sun, CA, Netegrity, and others sell security software that acts as a gatekeeper, identifying and authorizing users. Aveksa adds an additional wrinkle, layering on top of such software a governance piece that matches an employee's role to the data or other resources he or she can access, essentially tackling the vexing problem of change management and auditability.
As critical as it can be to understand who can access data, a related matter that is now getting more attention concerns the actual data itself: Has it been changed or moved, and if so, when, to what degree — and, of course, by whom? Known as "database auditing and real-time protection products," this class of software (from vendors including Guardium, Imperva, Tizor, Symantec, IBM, Oracle, and others) is booming: Forrester Research predicts that it will grow from a $450 million market in 2007 to $900 million by 2010.
The primary reason is that many companies are now protecting not just a handful of databases that contain particularly sensitive information but all their databases, as compliance and regulatory requirements mount and security breaches become more common.
This software can, as Prat Moghe, founder and chief technology officer of Tizor, puts it, "tell you what's happening to the data: Is it encrypted? Who's looking at it? Who's modifying it or suddenly copying a lot of it?"
The software also addresses a key related question: Should the data even exist? "Do you need Social Security numbers or credit-card numbers, for example?" Moghe says. Companies are often — indeed, almost always — more adept at capturing information than managing it once they've got it, and that extends to purging what they don't need and are perhaps at risk for holding.
There are substantial technical differences between vendors, not to mention huge price differences between the data auditing utilities that a database company such as Oracle or IBM might include with its principal offerings (essentially free in some cases) and the more sophisticated products offered by specialty firms.
Parsing those differences can soon lead to the sorts of technology-intensive discussions that send C-level executives screaming from the room. Perhaps they should tough it out. "From a CFO perspective," says Jose Segrera, CFO of Terremark Worldwide Inc., a provider of IT infrastructure services, "there is so much attention on risk management coming from the audit committee that IT and data security have to be on your risk-management checklist." He points to the ISO 27000 family of security standards as one place that C-level executives might look for guidance. Wolf of Proskauer Rose suggests that companies look to current practices in the financial-services and health-care industries, where additional regulatory requirements have made them "the gold standard regarding what constitutes 'reasonable' protection of data."
"Slowly," says Moghe, "leading-edge companies are beginning to have the kind of systematic dialogue between IT, risk, compliance, and other departments that is essential to comprehensive security." Ponemon says that the burden, for better or worse, tends to fall on lower-level staff, who must develop a solid value proposition for security measures in order to win funding, and attention.
There is, however, a way to jumpstart that process. "Experience a disastrous breach," Ponemon says.
Scott Leibs is a deputy editor of CFO.