Print this article | Return to Article | Return to CFO.com
Many companies still fail to address rudimentary security issues. Despite budget pressures, they can't afford to ignore them much longer.
Bob Violino, CFO Magazine
March 1, 2009
On January 20, as President Barack Obama was being sworn into office in Washington, D.C., a little-known company called Heartland Payment Systems put out a press release announcing that it had discovered a serious data breach. So serious, in fact, that while the full extent of the damage is not yet known, some experts suggested it may prove to be the largest in U.S. history. Within a week, lawsuits were being filed against the company.
That was just the latest reminder that despite advances in technology and a bevy of new regulations intended to force companies to safeguard consumer data, data thieves are as clever — and busy — as ever. While information-technology budgets are under extreme pressure these days, information security may be one area that should escape the ax.
Security attacks are not lessening with the economic downturn; in fact, research shows just the opposite. The number of data breaches at businesses, government agencies, and educational institutions in the United States jumped by nearly 50 percent in 2008 compared with 2007, according to the Identity Theft Resource Center (ITRC), a nonprofit organization that supports victims of identity theft and broadens public awareness of the problem.
The ITRC says there were 656 breaches reported in 2008 — up 47 percent from the year before — exposing more than 35 million electronic records. (This data doesn't reflect the Heartland incident, which took place in 2008 but was announced this year and had yet to be adequately assessed as of press time.) The breaches took many forms and were perpetrated by both outsiders and insiders, but many shared a common trait: they were easy to pull off. A mere 2.4 percent of all breaches required the perpetrators to foil encryption or other strong protection methods; password protection was in place in fewer than 10 percent of the cases.
That suggests that many companies can significantly boost security and reduce their exposure by following basic and inexpensive measures. But even if your company has encryption in place (as Heartland did), don't rest too easy. "The sophistication and automation of financially motivated cybercrime is very steep today when compared with counter-efforts," says Ken Dunham, director of global response at iSight Partners, a provider of threat intelligence services. "Criminals are agile and able to outpace the rate of adoption of counter-technologies in the marketplace."
The motivation for cybercrime is even higher during economic hard times. A January report by iSight says that the economic decline in the United States and around the world will significantly increase the risk organizations face from employees who are laid off, fear being laid off, or face some form of personal financial trouble that may lead some to consider insider crime.
"We've always faced information security threats. The difference is in the desperation that individuals are facing," says Tony Hildesheim, vice president of IT for Washington State Employees Credit Union (WSECU). "This adds a component of internal risk that may be underestimated."
Despite a reduction in its overall security budget, WSECU will continue to pursue a "defense in depth" strategy that provides a level of data and systems protection appropriate for each particular IT asset. The credit union is specifically looking at its E-mail management strategy in trying to bolster security and stem E-mail-based data leakage; networks, portable storage devices, and cell phones are also of particular concern.
But Hildesheim says the most significant improvement in security has been the institutionalization of an enterprise risk management committee composed of leadership from every line of business. "This is not a significant cost, except in time," he says, "yet it goes further in providing increased security awareness, and therefore improved security overall, than any tool we have implemented."
TouchTunes Music Corp., an interactive entertainment network that serves more than 30,000 restaurants, retailers, and other businesses in North America, is concerned about its ability to provide robust security in the current economic climate. "Securing all IT assets across the enterprise is a daunting task — too big, given the constrained budgets in this bad economy," says former CFO Philip Livingston (he left the company in January). The company has cut spending across all functions, including IT security. "The economy is bad, and we all have to share the burden," Livingston says.
Nevertheless, the company is deploying security tools that monitor systems and application usage and data access on a continuing basis, and provide detailed reports showing who accesses what information and what they do with it. "Further automation around systems that tighten loss control and improve systems efficiency is a priority," he says.
Despite the tighter budgets, data privacy and protection will be a major priority for TouchTunes in 2009. "No organization wants to be in the headlines for [a] data breach; it's a company's worst nightmare," Livingston says. "Data breaches continue to be a major concern in 2009, especially with the push toward virtualization and our networks being exposed to a wider variety of malware and hacking mechanisms than ever before."
A Role for GRC?
Although the arsenal of IT-security products is vast, some firms are finding value in tapping a category of software not usually associated with protecting data. Governance, risk, and compliance (GRC) software was first developed to help organizations track a host of regulatory requirements, such as the internal-controls provisions mandated by Sarbanes-Oxley. It has since expanded to many other areas (see "A Defining Moment," January), and now some firms see a role for it in IT.
GRC packages "seem to represent a natural progression for security professionals in order to benefit from a more integrated approach to risk management and compliance, versus a piecemeal approach that many have been taking until recently," says Livingston, who used GRC software at previous companies. "IT GRC technologies [offer] a unified platform to automate user access, process-level, and general computing controls."
Ken Schultz, CFO at CashNet-USA, a provider of online financial services, says that because his company offers financial services over the Internet, IT security "remains at the forefront of our thought process, so we can proactively protect our platform and customers." He declined to provide specifics about how CashNetUSA is securing its information assets, but says that "fortunately, our business continues to grow despite the current economic conditions, and as such our security budget has again increased in 2009."
That doesn't mean the company isn't looking for more-economical ways to provide security. One area of interest is open-source software, a category that few might associate with security but which is in fact providing a fertile ground for new products. For example, CashNetUSA recently deployed open-source Web-application firewalls and network-vulnerability scanners.
"We find that by staying in touch with the buzz and awareness in the open-source community, we don't have to be beholden to a certain vendor to acquire and implement the technology needed to be on the cutting edge of data security," Schultz says.
Bob Violino is a freelance writer based in Massapequa Park, New York.