There has recently been a spate of data breaches and reported cyber-attacks. Epsilon, and SONY PlayStation have lost data on millions; Amazon’s Cloud services were taken down; the RSA SecureID token was compromised, and the South Korean financial institution Nonghyup was reportedly attacked from North Korea. Meanwhile, Google’s offices in South Korea were reportedly raided by the South Korean police, looking for evidence that Google collected and shared geolocation data without the effective consent of users.
And yet, business goes on.
In an era where the COSTS of security and privacy can be readily measured, but the BENEFITS cannot, how do IT and risk officers encourage responsible data protection?
Consumers appear to care about privacy and security. When polled, they universally state that they want their data to be protected, and that they want their privacy protected. And yet, when there is a data breach, with the exception of a few industrious class-action lawyers, most consumers continue to make purchasing decisions based on extrinsic factors. The College Board saw no real diminution in the number of people taking the SAT’s or AP exams as a result of the Epsilon breach. PlayStation sales will likely depend more on the next-generation PlayStation’s 3D Graphics than on SONY’s privacy policies. This is not to say that such breaches are without cost. The SONY breaches (there were two) involve potentially 77 and 25 million data records. Even accounting for redundancy, if the cost of “repair” is a shockingly low $10 per record, we are conservatively estimating half a billion dollars in expense. That’s real money.
But investors are likely to punish SONY not for the breach itself, but for the cost of the breach.
Consumers seem unceasingly willing to forgive retailers for data breaches – particularly in the long term – if the retailer has a product or service that the consumer wants. Indeed, information security, while necessary, is seen as a cost or impediment to progress. Privacy is as well. A secure company that respects privacy and forgoes collecting some personal information may be at a competitive disadvantage over others. Sure, they are in better shape if there are fines or enforcement actions, but those are very rare. So, in this environment, why pay for security and why implement privacy?
A Business Case for Security and Privacy
All too often, privacy and security are seen at best as mandates, and at worst impediments to business. It is something you “have” to do, like taking medicine or driving the speed limit. Sure, it’s good for you, but in the scheme of things, it’s not going to get you the big promotion or bonus. That’s the wrong way to look at security.
At its core, security and privacy are ENABLING technologies. Cloud, mobility, location are all transformative technologies. We can access anything and everything from anywhere. Sensitive email finds us wherever we are. We can do online banking, brokerage, and communication. Collaboration can be done from workstations, iPads and smartphones. The pace of information sharing and data collection continues exponentially. But NONE of these things can be done without effective security – not perfect security, not perfect privacy, but effective security. Authentication, access control, real-time monitoring, secure architecture, secure coding, forensics and incident response are all necessary conditions to enable any Internet based technology. Just as elevator technology was necessary to enable the development of skyscrapers, security technology is essential to enabling cloud, mobility, Bring Your Own Device flexibility and a host of new products and services.
The lessons from these hacks and attacks is that security MUST be embedded in everything we do online. It cannot be “bolted on” afterwards. We must develop a “culture of security” where respect for privacy and understanding of risk are integrated in product development and design. The PlayStation began its life as a gaming device. It then became a gaming PLATFORM, permitting multiplayer gaming. From there it morphed into a communications platform, allowing users to talk to each other while engaged in game playing. Permitting in-game purchases once again changed the platform into a full-fledged e-commerce site, raising PCI and other privacy concerns. In the future, the addition of features like voice, facial or gait recognition, augmented reality, location enablement or a host of other features that could be added to a gaming platform would once again transform the nature of the platform itself. Security and privacy processes which were adequate for a stand-alone gaming device may not be adequate for the new network enabled technology, and privacy concerns increase with each added feature.
With each new feature, companies must address these concerns head on. Regulators and lawmakers are looking carefully at the lessons companies take from these hacks and attacks, and remain wary of “industry self-regulation.” If industries do not act swiftly to protect the privacy and security of data in a meaningful way, regulators will step in. At that point, investors WILL take notice.