I have often quoted the Ponemon Institute in these blogs, and this is another example. I quote them because they do detailed research on privacy, data protection and information security policy and report the results in a compelling and easy to read manner. These subjects are of great interest to me, and should be important to CEOs, CFOs, and CIOs. Ignoring what is going on in the cyber war world of today is dangerous to the future or even the existence of any organization.
Some recent findings repoted by Ponemon, with my brief interpretation.
- The average cost per lost record of a data breach in the US is almost $200.
Note this is the cost for every record that is misplaced, miss-sent, or deliberately stolen that contains protected information. This protected information includes information covered by government privacy laws, financial information (e.g., PCI compliance) or medical information (e.g., HIPAA compliance).
- Over half of surveyed CEOs report cyber attacks every day.
Fortunately, most of these attacks are foiled. But it only takes one success to negatively impact your business.
- 60% of employees circumvent the security features on their mobile devices, while 68% of US businesses allow employees to have their own mobile devices in the workplace.
When properly secured, personal devices like smart phones, tablets and laptops can greatly improve the productivity and satisfaction of your employees. If they are not secure, then any emails, downloaded files, even photographs on those devices are potential breach risks. These devices are lost and stolen every day. The Ponemon Institute reported that each week over 10,000 laptops are reported lost at 36 of the largest U.S. airports, and 65% are not recovered. Other reports show that each adult loses on average four smart phones. How much of your data is on these devices?
- 94% of healthcare organizations had a data breach involving protected data.
With the “strongly encouraged” universal use of electronic medical records and the sharing of these records among a variety of health care providers, insurance companies, and government organizations, each data breech can potentially involve millions of individual’s protected data.
- 77% of UK companies’ IT organizations use live production data for testing and development.
What are they thinking? Almost by definition, testing and development processes expose data to significantly increased risk since that data is being handled by new or modified untested software. Development environments are usually unstable, with constant changes in server usage, storage devices and network infrastructure. The focus is on getting the job done quickly. Security, if even considered, is secondary. Often a company will outsource some or all of its development and testing activities to third party organizations. These organizations, while good at what they do, are also more concerned about getting the job done than securing test data. I know of one case where a US company outsourced its development to a company in India, which outsourced all testing to a company in China. The US company was not even aware of the Chinese connection. They were providing tens of thousands of live data records to these companies to use in testing.
A recent Ponemon Report is their 2013 Annual Cost of Failed Trust Report: Threats & Attacks. This is the first of this series that provides an “extensive examination of how failure to control trust in the face of new and evolving threats is placing all global enterprises at risk.” This survey covered over 2,300 mostly Global 2000 enterprises from Australia, France, Germany, the U.K. and the U.S.
The primary focus of this report was the cryptographic keys and certificates that organizations use to provide trust for electronic communications. These keys form the security basis for Internet commerce, smart phones and other mobile devices, and, of course, Cloud Computing. These cryptographic keys are all that protects the data you send and receive over the Internet. Making the risk higher is the fact that most organizations have no way to even detect attacks on these keys. This report is the first attempt to quantify the scope of these attacks and their impact.
The cost of these attacks is significant, with about US$400M at risk in each of these Fortune 2000 organizations. The easiest exploit for cyber criminals is weak cryptography.
Protecting these keys and the infrastructure around them is not easy. Enterprises reported that they have on average almost 18,000 separate keys and certificates deployed across their IT infrastructure or in the Cloud. Over half of the organizations did not know what the actual number really is. 45% believe that failing to securely manage these keys and certificates directly leads to the erosion of trust. The risk is compounded by the potential of compromised Certificate Authorities, the companies that issue these digital certificates. Every respondent reported at least one trust exploit over the last two years, and the prognosis for avoiding future attacks is grim at best.
While this particular survey was focused on Fortune 2000 companies, no organization is safe. If you are using the Internet you are at risk.
Ponemon also reports that 80% of CEOs think having a reputation for protecting customer data improves their brand and marketplace image. These security risks, when properly handled, can become a marketplace differentiator for your company.
Are your CEO and CFO aware of these reports? Are they concerned about the consequences of lax security? They should be. If they aren’t concerned, then you should probably be updating your résumé.
The last word:
Think social media does not matter? This week a hacked tweet sent the market into a “flash crash.” The U.S. Dow Jones Industrial Average dropped about 150 points in a matter of seconds after a faked Associated Press tweet about an imagined attack on the White House. It was not even people reacting to the tweet, it was computer programs reacting to the content of the tweet that caused the drop. But it took real people to realize it was a fake tweet and reverse the “tweetfall.”
During the recent Boston Marathon aftermath, we saw news media using social media to pass on totally erroneous and sometimes made up information. This was all people “in the know” who demonstrated their incompetence in real time through social media.
Bad social media is, well, bad. Do it and you can hurt your company.
But good social media can make a very positive and measureable impact on your company. Look at the ABC drama Scandal. Sure, it has sex, violence, high-level political intrigue, and some very interesting characters. But the way ABC has embraced social media with this show is a significant reason why it has its high ratings, and therefore high advertisement revenue. So far, Scandal has generated more than 2.8 million tweets, 25% more than American Idol. Most of these tweets occur during the show.
Social media engages people, and makes the product a “must have,” or in the case of Scandal, “must see.”
Keep your sense of humor.