Before I begin, I’d just like to make one thing clear: I’m a marketer and a business owner – not a technical guru. So when I read headlines about hackers, cyber attacks and identity theft, my response is to understand whether my business is vulnerable and what I can do to protect it. Although I do have to admit, reading about how people hack into businesses also makes for compelling reading. Probably the most regular headline I see nowadays reads something like this: “60% of businesses fail after a data breach.” Each time I see the headline the percentage number seems to change, but its impact doesn’t.
So, why do so many businesses fail after an attack? The answer comes down to responsibility, confidence and trust: Customers lose confidence in a company after a security breach – their trust is eroded and they change their spending habits accordingly.
But is this really fair? I mean, why should a business be held responsible for the act of a hacker or cyber criminal? After all they are, basically, criminals.
The answer to this question comes down to the changing nature of the relationship between consumers and businesses. In the digital age, consumers like you and I are no longer asked to simply buy things from businesses; we’re asked to entrust our personal information to them. Our relationship is no longer purely transactional; it’s now very personal.
Twenty years ago, if a criminal were to break into a Target warehouse and pinch a van-load of boxer shorts, you’d still go to Target to buy your underwear. The theft wouldn’t have affected you personally, so you’d still feel comfortable buying from your local store.
But last year Target in the U.S. was broken into by cyber criminals. And they didn’t break into the warehouse, but into the company’s payment card readers. An estimated 40 million consumers who made purchases at Target stores had their credit and debit card numbers stolen; another 70 million customers also had their personal contact information – names, addresses and telephones numbers – compromised.
And this story isn’t unique. Inc. reported that ‘92% of businesses who had experienced a data breach said they lost personally identifiable information”, such as driver’s licenses, credit cards or Medicare details.
Forbes does a nice job of explaining why: “Hackers are not just nerdy teenage kids fooling around in their basements; they are sophisticated criminals trained to identify and exploit Internet vulnerabilities. Hackers look for information on your accounts and finances. They look for personally identifiable information. They try to use you as a tunnel into the systems of your suppliers and customers.”
So, they’re not after the merchandise, their after customer’s (that’s yours and my own) personal information. This is why businesses are being held to account for the trust customers place in them, and that’s why business owners are under so much pressure to act responsibly.
For Target, the impact of this loss of trust was huge: the company’s profit dropped almost 50 percent in one fiscal quarter, and by more than a third for all of 2013. They spent $61 million to pay for legal fees, software updates, customer reimbursement and credit monitoring, and other costs due to the failure in cyber security, the Washington Post reported. Even the CEO resigned (although this was also due to the company’s less-than-successful expansion into Canada).
Fortunately for Target and its shareholders, despite the huge impact, the company didn’t go under – but only because it has the resources to deal with the fall out. Most small businesses do not.
So, that’s the ‘Why?’ question answered. The next question is, “How do I need to protect my business?”
The two key themes that are repeated in the security debate are identity management and data protection. Businesses need a comprehensive identity and access management strategy that will secure access to the data customers entrust to them. And this so challenging because, with the cloud, the points of vulnerability are so pervasive.
Protecting the business starts by understanding every part of it, because personal information and data flows through every part of it.
Effective security requires a ground-up strategy because it needs to be embedded in each new layer of software and hardware that’s add to the business. But it also needs to be an end-to-end strategy because data and information flows from the data centre through the network to the applications and devices that are used on a daily basis.
Developing an ongoing strategy with workable policies and protocols on how to manage the identities of employees and protect data (which includes customers’ personal information) need to guide your everyday behaviour.
Security strategies don’t end with the technology. They also require the participation of your employees, because it’s often their behaviour which creates the opening cyber criminals are looking for.
Educating employees is crucially important. Employees need to know about managing IT security risk and why it’s so critical to business survival. And they need clear rules on what they can and can’t do. These can sometimes seem inhibiting, or even offensive. But with a better understanding of why they’re so important, people are happier to cooperate.
Security is of such critical importance that developing a strategy to deal with it needs open consultation and careful planning with a technology partner that understands the entire challenge, not just some parts of it. And it needs company-wide participation.
As is so often the case with cloud-related issues, security turns out to be a core business challenge that demands us to rethink our responsibilities as business owners and leaders. Not simply as IT decision makers.
Simon Steele is Marketing Director with XCentral. He’s also a company director and business owner.