Last Updated Aug 16, 2010 3:04 PM EDT
Cost of Data BreachesTalk to experts in security and risk management, and you'll learn a few things that can surprise many, including experienced managers. One is just how much data losses can cost. It's hard to quantify in general the expense of lost information, although one study by the Ponemon Institute suggests that the average cost of a data breach in the U.S. last year was $6.75 million. It was $2.57 million in the U.K., $3.44 million in Germany, and $2.53 million in France.
However, put generalities aside and look at the Apple case. The company sells tens of millions of iPhones and iPods a year. A five cent a unit cost differential between what the company might have been able to negotiate, given no inside information in the hands of potential bidders, could easily mean millions a year.
As data loss goes, this was rather innocuous. What if the information was intellectual property like a previously unrevealed trade secret? Even a release date could allow a competitor to leak information to the media, which would then make it public, potentially tanking Apple's current sales as people knew of a new model coming out. Release your competing product in the window, and you could grab more purchases than otherwise might be the case.
Or look at the U.S. government and the information that WikiLeaks is making available. I'm not here to argue whether what the organization does is right or wrong. However, it has an impact on the government's brand, if you will, and its ability to influence the public to its advantage. The same could happen to a company. Look at the critical onslaught that Google (GOOG) has faced since the net neutrality proposal it co-authored with Verizon (VZ) came out. And that was a planned release.
Other possible types of information that a company could lose to its disadvantage include:
- supplier lists
- customer lists
- product marketing plans, including release dates and advertising campaigns
- employee directories
- trade secrets, including formulae, engineering designs, and prototypes
Inside RisksMany people, often including corporate executives, assume that the biggest risk to security comes from the outside. Actually, the opposite is true. As a past study funded by Cisco (CSCO) has pointed out, most data security threats are internal. That matches with everything I've heard from law enforcement and security experts over at least the last ten years.
Sometimes the help is deliberate, like the Apple employee who allegedly received kickbacks. Sometimes the internal problems are unintentional, like the person at the front desk who waves through the pizza delivery person, assuming that someone ordered in lunch, not that the delivery guy is actually a thief and will take valuable information out the door in the delivery bag. Or it could be social engineering, with employees tricked into giving away information. I've even heard of companies setting up fake conferences to get a competitor's employees onto a discussion panel to give insights you might not find in publicly-filed information.
Bigger Risks are Higher UpMany companies assume that the biggest internal security risks are lower-level employees. Quite the opposite is true. For Apple, it was a mid-level manager -- not the person highest on the organizational chart, certainly, but one in a position of trust with access to sensitive material. For the U.S. Army, clearly people with security clearance have been the ones who could collect and pass on the documents to WikiLeaks.
Access and control of information means a commensurate amount of responsibility, power, and authority. When you hear of companies with major accounting irregularities, the people responsible aren't the clock-punching accountants, but, generally, the CEO, CFO, chairman of the board, or COO.
Unfortunately, many companies that otherwise talk a good game are effectively inactive when it comes to actually safeguarding information. Notice that the two examples in question are the federal government, which has extensive information security measures, and Apple, known for its secretive culture. If they can find themselves on the wrong end of information loss, what are the chances that the average company is immune?
- Hey Google, Enterprise Customers Want Full Security, Not Beta
- Apple iPhone, iPad Security Goes Into the Toilet and Down the Tubes
- U.S. Infrastructure Is Vulnerable to Cyber Attack, but No One Will Do Anything
- Apple and Google Mobile Security Pits Get Deeper