Information Technology Risk Management
Matt Atkins, June 2012
The way in which companies do business has changed immeasurably in the past decade, with the advent of mobile computing, social media and ‘the cloud’. Businesses now deal with customers, clients and employees on an entirely new level. At the same time, the prevalence of ‘hacking’, cyber crime, and state-sponsored industrial espionage has soared, as the same technology that streamlines business practices is exploited. Faced with increasing and ever-changing risk exposures, businesses must update their policies, programs and attitude to IT risk management.
The growing threat
Breaches of data security are now a common occurrence, with the media regularly carrying stories on high profile cases involving ‘hacktivists’, crime syndicates, state-sponsored hackers and even employees. Opportunities for large gains fuel the criminal element. Penetrating business networks offers a great way to draw attention to the causes of political activists. In the past year, attacks by the hacker groups Anonymous and LulzSec against government and corporate sites received worldwide attention. But while attacks on larger organisations make the news, cyber threats to smaller firms across a broad range of industries occur daily and are equally damaging. All businesses are at risk and each organisation has at least one source of targeted data – be it bank account details, medical information or social security numbers.
But while the risks are widely reported, in some quarters of the corporate world, the message is not getting through. “The threat to corporate data in many respects is well-known to the public through the media’s reporting of data breaches involving personal information or denial of service attacks,” says Wayne Matus, a partner at Pillsbury Winthrop Shaw Pittman LLP. “Less known are the thefts of intellectual property by sovereign states and organised crime. Many companies are taking these threats seriously. Others are not.” Some organisations simply refuse to believe that they are targets for cyber attackers, but with the IT landscape shifting at a tremendous rate, they must alter this mindset and approach IT threats as the ‘new normal’.
To shy away from IT risk exposures is to invite the inevitable consequences of a security breach. And such disruption will likely originate from within the firm. Internal threats are a key concern. Data theft spiked in the years after the recession as rogue employees, anxious about their job security, relied on inside information to secure work with other firms. Sales of confidential data to organised groups also rose in this period. The ease with which staff members at some firms can obtain sensitive material leaves businesses open to such crimes. The majority of such data breaches were enacted via the employer’s email system, astonishingly, evading the awareness of IT security systems. “Outsiders want in and will target the weakest link in the security chain – the employee – with phishing attacks and other malware,” says Jamie Bouloux, an Underwriter and Network Security Product Leader at Chartis. “No matter how robust an IT system, once a cyber criminal gains a backdoor entry it becomes much harder to remove the threat as detection is a lot harder.”
When IT systems are compromised, the financial costs can be phenomenal, though they vary by the amount and type of data that is taken, and the industry of the affected company. On average the cost of a US data breach in 2011 was around $5.2m. However, the April 2011 hacking of Sony’s PlayStation Network cost the company more than $171m, with potential further costs to cover investigations, compensation, lost business and additional data security investments.
Financial losses are often not the only result of a security breach. If IT security is found wanting, a firm will inevitably suffer a blow to its reputation. While it is difficult to calculate the reputational damage a data breach could inflict, clients and consumers whose data is stolen will often shift their business to a rival firm. Breaches can lead to a dive in share prices as concerned investors seek to offload their stock. Shareholders may also be inclined to initiate class actions against the organisation.
In this respect, the growing use of social media and mobile devices within firms represents an additional reputational threat. While social media provides businesses a means of communication with interested communities, the risk of employees exposing confidential company or customer information cannot be ignored. The conduct of employees, broadcast on social networking sites, can also damage the public image of a firm. The threat to reputational risk cannot be emphasised enough. Companies that fail to salvage a damaged reputation risk going out of business or facing sale to a competitor.
In addition to the financial and reputational risks involved, the loss of trade secrets is a major concern. Cases of theft involving intellectual property and commercial secrets are on the increase. While organisations have always dealt with such threats, the issue is becoming more critical in the digital age. The effect is loss of sales when competitors copy IP and compete on the same terms.
Commonly, such crimes are conducted when employees sell secrets for financial gain, or take data with them to a new employer. A recent high profile case involved Dow Agrosciences. In December 2011, Kexue Huang, a former researcher for the firm, was sentenced to an 87-month prison term for delivering trade secrets to individuals in China and Germany. This case also highlighted a further cause for concern – that of state-sponsored IP theft. Much of Dow’s data was found in the hands of universities with strong links to the Chinese government. Indeed, a 2011 intelligence report presented to US Congress named both Russia and China as engaged in stealing US corporate secrets. “We judge that the governments of China and Russia will remain aggressive and capable collectors of sensitive US economic information and technologies, particularly in cyberspace,” the report stated.
External attacks on IT infrastructure, with the intention of gaining company data, are an increasing occurrence. In March 2012, two UK citizens appeared in court and charged under the Computer Misuse Act and the Copyright, Designs and Patents Act. It is alleged that they accessed and downloaded thousands of music tracks from Sony Music catalogue. “External threats have grown more alarming,” suggests Mr Bouloux. “In the Sony breach, hackers gained access to Michael Jackson’s entire catalogue and downloaded over 50,000 music files, worth over $250m. With large information assets at stake, senior management cannot absolve themselves of the responsibility to protect this information. Ultimately it is on the board of directors to make sure there is strong corporate governance to protect this intellectual property.”
Tackling the risk
It is clear, then, that IT exposures can have severe repercussions. They can impact shareholder value, tarnish the brand and expose the company to litigation. Despite this, some firms have been slow to recognise the risks. Dissatisfied with the steps thus far taken to protect data assets and intellectual property, governments have begun to implement a raft of legislation at the federal and state levels. The US Department of Health and Human Services has, for instance, responded to a number of serious breaches in patient data privacy by tightening its oversight and imposing fines on healthcare providers that did not adequately protect patient data privacy. Broader efforts to tackle risk exposures have also attempted to deal with the IT issue. “In the US, the most significant development is the promulgation of guidance by the Securities and Exchange Commission of risk disclosure requirements as part of financial reporting,” says Mr Matus. “In the EU, the adoption of US style breach disclosure requirements has been significant as has been their extraterritorial reach. The law has not affected criminals much. Few are prosecuted and sentences are light.”
Since 1995, European data security has been governed by EU Data Protection Directive of 1995, outlining guidance for a range of issues including the notification of customers when their data is collected. A January 2012 redraft gives regulators authority to assess higher fines and penalties. Arguably, the drive to protect data security and consumers is led by the US and Europe. A result of this is that the rest of the world is being forced to fall in line. In order to conduct cross-border commerce with Europe and America, data protection legislation and effective regulatory oversight are works in progress in jurisdictions across the globe.
On the whole, though, executives are becoming more conscious of the threat. Board-level awareness of cyber risk is at an all-time high and prevention and response procedures are improving from manager to board level. But while many companies are taking IT threats seriously, others are not, and in all cases, more can be done. Ironically, perhaps, many breaches of IT security can be addressed with the most basic of provisions. Exposures can be minimised if security patches are updated as necessary, preferably on an automatic basis. Firewalls and antivirus software should be installed and set up appropriately. Sensitive information should be encrypted. A rigorous incident response program is a must, and regular test exercises will certainly prove beneficial. Examining the operations and security measures of competitors can also help highlight and plug any security gaps. Staying ahead of the competition will make companies a less desirable target. At the same time, sharing information with rival firms is an important step toward creating a stronger IT environment across the board.
The risks brought by new technologies must also be seriously considered. Although new systems and software can streamline business procedures and open new sources of revenue, they also create new exposures As companies embrace ‘the cloud’, for instance, protecting sensitive customer and financial data becomes more difficult. “The true threat to IT security is related to the velocity at which data is reproduced, and the willingness of organisations to post that data in the cloud – across jurisdictions – for collection, storage and even manipulation,” says Mr Bouloux. “Reproduction and sharing of data makes it very difficult for IT specialists to track all internal and external threats. Internally, mitigating employee vulnerabilities – rogue or otherwise – used to be the most eminent threat to IT security. However, mitigating the quantity of data that external threats are able to extract from organisations and setting up early warning breach detection systems are two of the top priorities companies need to look at as they evaluate their IT security initiatives.”
No matter what security measures are put in place, however, the human element remains a weak point. Malware embedded in email links, downloads from disreputable websites, and the relaying of online content such as YouTube videos, present risks even in an environment where the corporation has created excellent policies and procedures. To tackle this, a culture of awareness and compliance is imperative. Active threats from within must also be contained.
The abuse of email systems can be countered and employee access monitored. Where monitoring detects abnormal traffic, remedial action must be taken. When an employee is leaving the firm, their access to the system should be cut before they walk out of the door for the last time. All devices, keys, and information must be retrieved. These policies must apply to all workers, including, especially, those on contract.
Even the most robust of policies may not stop the flow of data, but this does not make such policies redundant. Their deployment will aid when an employee comes under suspicion of theft. “Employment policies are not going to stop a thief, but they are important for the prosecution of dishonest employees as the lines of unauthorised behaviour can be clearly drawn,” Mr Matus explains. “Perhaps better background checking would help. But, that is not a solution. Data leak protection can help. Access restrictions can help. Encryption is important. There are many technical tools that are helpful.” No system can be 100 percent secure, however.
Directors must come to understand the problem, ask the right questions, add necessary talent where appropriate and consult with outside advisers if the need arises. Boards must remain aware that the IT department is responsible for only half the battle. They must understand that IT risk is enterprise-wide and make it a more mainstream part of the risk management practice. A sound security program will count for little if a culture of compliance and awareness is not nurtured. Without covering areas such as human resource practices and vendor management, an organisation is susceptible to exploitation.
IT risk will only increase in the coming months and years as newer technologies are introduced, bringing their own individual risks and challenges. Companies reliant on computer networks must therefore prepare for a much more dangerous business environment. Believing that security measures will protect the firm from IT exposures is a mistake. Preventative controls will invariably fail, and the corporate world must place more emphasis on detection. To maintain maximum security, businesses must operate under the assumption that unauthorised users are accessing the company’s IT environment on a daily basis – that they are no longer under siege, but are under attack.