In a recently media release, we announced that based on the numbers, the main reason for the failure of companies to adequately protect customer data is a fear of productivity loss. The announcement received broad exposure because of its clear message: the real concern for corporate leaders and decision makers is the impact an audit can have on company operations. Weighed against the theoretical risk of an unspecified security breach, the decision process is heavily weighted against following basic security best practices.
But that’s not the whole story. There’s a problem with ROI driving security investments and that’s the simple fact that companies control data they don’t own. They have no claim to personal information, their employees’ private data isn’t their own and the impact of compromising the confidential information in their custody should rightfully be severe – and they know it.
But they also know that enforcement in Canada is lax at best. Privacy commissioners have no legislative powers to prosecute and with few sectoral exceptions, there is no law that forces companies to disclose breaches. If breach notification becomes an ethical decision, then companies are left to notify customers because they feel bad for them, not because they need to help them to regain control of their compromised assets as soon as possible to avoid potentially catastrophic impact.
And most companies do feel bad when they discover a breach. They feel bad for their compromised reputation, for damage to brands that took years, perhaps decades to build. They feel bad about having to shell out money to correct problems and repair damage. And they of course feel bad for their customers, members and subscribers who are the real victims in most security and privacy breach situations.
No one likes to feel bad, so how do some companies choose to deal with the problem? The same way it is dealt with in unregulated industries: by ignoring it. “Not investing in anything more than basic firewall & antivirus technology is a great way to save money and avoid finding out about unpleasant compromises we’ll be morally forced to do something about” they say, breathlessly arguing that the same money could be far better spent on growth, rewarding loyal investors at the relatively minor risk of upsetting faceless customers.
There’s no return on not investing in security
Cynical? Perhaps. But these are extreme cases. We see them in newspaper headlines and press releases published following privacy commissioner investigations. You could spend an afternoon reading through the various infractions posted for the world to see. In an odd way, the decision to eschew risk management best practices as simple as a check-up to determine severe vulnerabilities in favour of investing in services and technologies that effectively prevent breaches is perfectly rational. Risk itself is defined as the chance of something negative happening, while investment is a forward looking, positive development that is driven by strategy. “So we’ll take our chances, they say”…even as their U.S. counterparts, despite their own problems with a largely broken system of surveillance and privacy laws reap the benefits of investing in sound security practices including:
- risk assessments and vulnerability assessments
- intrusion detection systems
- software code reviews
- independent audits of practices
- reviews of policies related to sensitive information
- policy enforcement spot checks
- self assessments based on industry standards
- live security and privacy awareness sessions
Basic stuff, and your company may already be doing some of this. But by and large, companies need to have to have a strong reason to spend – read: invest – the money.
U.S. companies feel the pain of breaches. According to the latest Ponemon report, remediation costs are over $200 per compromised customer record, there are financial penalties by industry associations, government agencies, the likelihood of class action lawsuits, productivity issues and business interruptions. And that’s not even counting the reputational impact. The damage to their powerful brands and their good name. But that’s where it hurts the most. Last year’s monumental Target breach was a game changer for everyone involved, but it also brought to light the reality that customer trust is as intangible as the personal information companies are entrusted with. Once that data is compromised, it can’t be undone, but customers now have recourse beyond the legal system. They can revoke their trust.
By voting with their wallets, millions of customers hit Target where it hurts the most, in their bottom line. So even though the company lamented early costs of less than $20million (covered by insurance anyway), that’s nothing but a drop in the bucket compared to the final tally that might see them face penalties of $1.1 billion after a 46% drop in revenue this quarter alone. Even in Canada, the chain has lost $1B due to factors not entirely related to the breach, but certainly related to spending (duh) and the trust Canadians have in the brand.
Is it such a giant acrobatic feat of imagination for companies to consider the possibility that had this breach not occurred, Target and other companies would have retained the trust that would have kept shopping spending during the critical Christmas season, usually a boon for retailers and a large percentage of annual revenue? Of course not. They know it.
Certainly, U.S. companies have a nice continuum of legislation > enforcement > compliance > investment > risk visibility > risk mitigation that translates into untold opportunities to extol the virtues of their customer protection strategies and other marketing vehicles to growth. We may not have those same regulatory catalysts, but shouldn’t Canadian companies take advantage of the visibility they have across borders? Granted, this perch not altogether lofty, but it has so far been adequately protective. But that protection is vanishing as customers on both sides of the border re-evaluate their trust relationships with big brands in retail, banking, transportation, telecom, IT and Internet sectors. And when lower tides affect all companies in these sectors, Canadian companies need to make tougher decisions than simply buying ineffective, off-the-shelf products.
The message is clear: Invest in the tools and technologies that provide visibility into risk, with the potential of discovering vulnerabilities and breaches … or continue to ignore trends and opportunities towards risk maturity and bear the brunt of the consequences.