Apple and WikiLeaks Show How Vulnerable Companies Are

Last Updated Aug 16, 2010 3:04 PM EDT

In seemingly separate stories, an Apple (AAPL) mid-level supply chain manager was accused of accepting more than $1 million in kickbacks from Asian iPhone component suppliers. At the same time, WikiLeaks, which has made a considerable name for itself by leaking secret documents, including what you might call this decade's Pentagon papers, has said that it won't be threatened by the Pentagon. But for corporate managers, they should be two sides of the same coin. Internal threats and data leaks are far more common than most would like to think, and can be damaging.

Cost of Data Breaches

Talk to experts in security and risk management, and you'll learn a few things that can surprise many, including experienced managers. One is just how much data losses can cost. It's hard to quantify in general the expense of lost information, although one study by the Ponemon Institute suggests that the average cost of a data breach in the U.S. last year was $6.75 million. It was $2.57 million in the U.K., $3.44 million in Germany, and $2.53 million in France.

However, put generalities aside and look at the Apple case. The company sells tens of millions of iPhones and iPods a year. A five cent a unit cost differential between what the company might have been able to negotiate, given no inside information in the hands of potential bidders, could easily mean millions a year.

As data loss goes, this was rather innocuous. What if the information was intellectual property like a previously unrevealed trade secret? Even a release date could allow a competitor to leak information to the media, which would then make it public, potentially tanking Apple's current sales as people knew of a new model coming out. Release your competing product in the window, and you could grab more purchases than otherwise might be the case.

Or look at the U.S. government and the information that WikiLeaks is making available. I'm not here to argue whether what the organization does is right or wrong. However, it has an impact on the government's brand, if you will, and its ability to influence the public to its advantage. The same could happen to a company. Look at the critical onslaught that Google (GOOG) has faced since the net neutrality proposal it co-authored with Verizon (VZ) came out. And that was a planned release.

Other possible types of information that a company could lose to its disadvantage include:

  • supplier lists
  • customer lists
  • product marketing plans, including release dates and advertising campaigns
  • employee directories
  • trade secrets, including formulae, engineering designs, and prototypes

Inside Risks

Many people, often including corporate executives, assume that the biggest risk to security comes from the outside. Actually, the opposite is true. As a past study funded by Cisco (CSCO) has pointed out, most data security threats are internal. That matches with everything I've heard from law enforcement and security experts over at least the last ten years.

Sometimes the help is deliberate, like the Apple employee who allegedly received kickbacks. Sometimes the internal problems are unintentional, like the person at the front desk who waves through the pizza delivery person, assuming that someone ordered in lunch, not that the delivery guy is actually a thief and will take valuable information out the door in the delivery bag. Or it could be social engineering, with employees tricked into giving away information. I've even heard of companies setting up fake conferences to get a competitor's employees onto a discussion panel to give insights you might not find in publicly-filed information.

Bigger Risks are Higher Up

Many companies assume that the biggest internal security risks are lower-level employees. Quite the opposite is true. For Apple, it was a mid-level manager -- not the person highest on the organizational chart, certainly, but one in a position of trust with access to sensitive material. For the U.S. Army, clearly people with security clearance have been the ones who could collect and pass on the documents to WikiLeaks.

Access and control of information means a commensurate amount of responsibility, power, and authority. When you hear of companies with major accounting irregularities, the people responsible aren't the clock-punching accountants, but, generally, the CEO, CFO, chairman of the board, or COO.

Unfortunately, many companies that otherwise talk a good game are effectively inactive when it comes to actually safeguarding information. Notice that the two examples in question are the federal government, which has extensive information security measures, and Apple, known for its secretive culture. If they can find themselves on the wrong end of information loss, what are the chances that the average company is immune?


Image: user vivekchugh, site standard license.
  • Erik Sherman On Twitter» On Facebook»

    Erik Sherman is a widely published writer and editor who also does select ghosting and corporate work. The views expressed in this column belong to Sherman and do not represent the views of CBS Interactive. Follow him on Twitter at @ErikSherman or on Facebook.