TORONTO – Security breaches that result in a loss of customer data could not only tarnish a company’s reputation, it could land the CEO in jail.
Privacy is a business issue and involves all C-levels, said Jay Rosenblatt, a partner with Simpson Wigle LLP in Hamilton, Ont., during a Thursday panel discussion on policies and requirements for security management at InfoSecurity Canada.
From a legal perspective, inaction is an act of negligence. “C-level execs are being sent to jail,” he said. “There has to be due diligence to be protected.”
Current and proposed government regulations and standards are affecting information security in both the public and private sector. In Canada, privacy laws include the Personal Information Protection and Electronic Documents Act (PIPEDA), the Personal Health Information Protection Act (PHIPA) and Bill 198 in Ontario.
While Canada has a more coordinated approach to privacy protection, there are higher standards for financial reporting in the U.S. Banking regulations south of the border require a company to report security breaches across the board (although some states give exemptions if that data is encrypted).
“You can be prepared,” said Rosenblatt. “You don’t have to be scared.”
What’s at risk? Not only are company resources at risk from a security breach, so are profits, legal exposure, competitive advantage and even insurance. Royal Dutch/Shell, for example, had its credit rating cut as part of a review into its corporate governance, and shareholder pressure forced the company to quickly make reforms.
Rosenblatt said there are several principles for due diligence: put the CEO in charge, make an enterprise commitment, do a risk analysis, plan it, test it, communicate it, rehearse it and update it.
But adhering to these new rules and regulations costs money, and with that comes resistance.
One issue is that the software industry has no liability, said Mary Kirwin, CEO of Headfry Inc., and some software is sold with known security gaps. “People bought these products in good faith and they were sold lemons,” she said. “A lot of CEOs are fed up.”
These CEOs feel they’ve paid good money for a product that was supposed to prevent security breaches, making it hard for IT managers to convince them to spend more money. Because of this CEO backlash, software vendors are now trying to fix the fact that their gear has screwed up these systems, she said.
There’s also a great deal of concern surrounding storage. “A lot of systems are not properly secured,” she said. A company’s storage environment impacts legal liability, she added, because that data needs to be stored in a secure, reliable manner.
Despite these concerns, it’s still hard to come up with an ROI on security investments.
But what if your brand’s reputation is trashed due to a security threat, said Rosaleen Citron, CEO of WhiteHat Inc. in Burlington, Ont., or what if you lose customer confidence? That’s the message IT managers have to get across to CEOs and their board of directors.
“Security budgets should be part of the IT budget,” she said. Companies need to keep themselves patched and up to date, but there also needs to be increased involvement of business leaders and legal departments, she said, as well as more user education.
The statistics are there. On average, a security breach costs a company half a million dollars, she said. And about 10 per cent of the U.S. population has had personal or financial data exposed.
Growing trends include ransom-ware, where online businesses are forced to pay up or continue getting hacked and attacked. This is also happening on home computers, where hackers encrypt the user’s personal data and then extort money ($500 on average). And viruses, worms and Trojans are getting worse.
A well-governed company can better fend off these attacks and help prevent legal liability in the event of a security breach. They’ll also outlast their competitors, said Citron, because companies that have had their brand tarnished or lost customer confidence may not ever be able to recover.