In the last couple years, I’ve had a great opportunity to moderate numerous Webcasts on diverse subjects for CFO magazine. Many are illuminating, as was the one this past Monday, March 11th on data breaches. The panel was a Who’s Who of security experts, including Larry Ponemon from the Ponemon Institute; Simon Hunt, chief technology officer of endpoint security at McAfee; Michael Kaiser, executive director of the National Cyber Security Alliance; and Stan Gatewood, chief of information security and e-privacy at the University System of Georgia, which comprises more than 30 colleges and universities.
We’ve all been reading about those pesky Chinese hackers spying on our government and last year’s hacking of the CIA, of all places. If the CIA can’t button up the files, how can businesses, which experience thousands of unsuccessful hackings each week (you read that right). Just one that pries open the lid invites a horde of punitive federal and state regulations, and sets in motion a downward spiral that can doom a company.
Forty-six states have data breach laws that require organizations to notify anyone whose personal data may have been inadvertently lost, stolen or leaked. Massachusetts has the stiffest law on the books, stipulating a possible court-imposed civil penalty of $5,000 per violation. Multiply this by potentially thousands of affected customers and the costs stagger. Now tack on potential expenses to notify victims, monitor their credit card activity, pay for legal defense and judgments/settlements, and hire forensic security experts to determine the cause of the breach. Some companies must retain a crisis management firm to offset the reputational risk.
These are not just large enterprises. Any organization, no matter its size, is susceptible to these exposures and the regulatory burdens, and may be even more vulnerable, given that hackers know they have scant resources to combat the problem. The perps aren’t all from the shady world of organized crime, either. Employees might resort to committing cyber fraud in the uncertain economic climate. Or they may simply make a mistake that inadvertently opens the books.
These eye-opening threats became clear during the Webcast. For all of my friends who missed the event, I thought this missive would help raise awareness in your organizations. Obviously, failing to proactively prepare for the growing threat of a data breach, especially as new technologies like the Cloud and mobility become more ingrained, more employees are permitted to BYOD—bring their own devices to work, for work—and the regulatory noose tightens, threatens all organizations’ survival.