The Agenda 2020 series asks experts to discuss what business leaders should be doing now to prepare their organizations to be healthy, efficient and growing by 2020. Read more at tgam.ca/agenda2020.
It seems as though not a month goes by without news of a massive cybersecurity breach occurring at a large company. Sony Corp., Target Corp., eBay Inc. are just three of the companies that have had their customers' personal information stolen over the past few years, and the number of companies that will experience an attack is likely to rise. According to tech security company Symantec Corp., there was a 62-per-cent increase in the number of breaches in 2013 across the globe. So what can companies do? Should they even bother fighting these attacks or should they resign themselves to the fact that breaches will happen? We posed these questions and more to two cyberrisk experts, Claudiu Popa, president and CEO of Toronto's Informatica Corp. and Brian Rosenbaum, national director of Aon Risk Services legal and research practice.
Are cyberattacks worth fighting or is it just a cost of doing business?
Claudiu Popa: They are worth fighting, but with a process and with risk management. So you look at what the chance of certain threats occurring is, and the damage they'll do, and then you can decide whether it makes sense to accept that risk yourself. If you don't want to accept it, then move to the next stage and transfer that risk using insurance, but there's only a narrow list of things you can do that with.
Brian Rosenbaum: You're going to have difficulties transferring that risk to insurance if you're not going to invest in preventing attacks and privacy breaches. If you want to be insured, companies will have to see that you made an effort. So I think you do have to invest in security, but it's more than just that. You need to invest in governance, protocols, procedures, training and auditing.
I'd add that companies do still have regulatory compliance requirements. Companies, pursuant to our privacy laws in Canada, are required to be protected to safeguard information with security. You can't turn your back on that obligation. The act has come under fire in terms of the ability of the privacy commissioner to fine companies and we still don't have a mandatory breach notification regime, which we keep waiting for.
It does seem, though, that no matter what companies do, attacks still happen.
CP: It's a bit of a mistake to say that. Every product I can think of has a vulnerability and will fail. You can buy a doughnut and choke on it or purchase a pool liner and someone can get wrapped up in it and die. These are specific threats to safety, security and privacy that are well known to everyone under the sun. The IT world, though, deals with things that humans have trouble getting their minds around. There was a recent breach by eBay that saw hundreds of millions of accounts targeted. What does it mean to have that many customers targeted? That blows people's minds and it brings a lot of fear. The media then run away with it, rather than the marbles people choke on.
BR: While that is true, companies are still frustrated because they can never seem to get ahead. A lot of money is poured into these types of attacks. We've heard stories of organized crime being behind a lot of attacks, or even specific countries. It's deflating for companies because they're not pouring in anywhere near as much money into protection as the people who are seeking to get the info. So companies do feel defeatist to some degree.
So what can companies do to prevent attacks?
BR: I'm big on training, education and the establishment and enforcement of proper policy and procedures. A lot of companies have the technology in place, but they don't enforce security protocols. For instance, when companies encrypt devices, employees will often disengage that encryption because it's too difficult to sign on and companies are not monitoring this practice. To me, a lot of this is an educational and cultural issue within the company. Ensure employees understand how a company can be hacked into and attacked.
CP: Organizations don't bother to understand the simple concept of risk management and they try and find off-the-shelf products. Off-the-shelf products are fairly rigid and, in most cases, require proper configuration and management, and that expertise is hard to get. You end up having mismanaged product and a false sense of security and that's a lot worse than having no security at all. Companies need to build certain things into their security and follow processes, but they have to assess their risk to begin with to know what it is they need to protect against. You can't quantify risk if you don't know if you should avoid it, transfer it, minimize it or mitigate it.
Why are so many companies so far behind?
CP: It's party the legislative climate in Canada. Companies haven't been kicked in the butt to make those investments. In the States they have security legislation in place, but less privacy legislation. In Canada we have privacy, but less in the way of security. In the States you get dinged for every record you lose. Here all they can do is drag your name through the papers.
But it shouldn't be legislation that drives things anyway. It should be integrity. Companies should be demonstrating that they care enough about their customers to protect your information. It shows responsibility, accountability and integrity.
BR: The law will be a driver. It will force companies to (speak) out in all cases that could be harmful to the individual. Once companies see that these aren't isolated incidences, and that there's a chain of events that happen when there's a breach and that business can be interrupted, then they'll sit down and say, 'maybe we should invest.' So the change in law will help, but it will be a combination of factors. There are so many breaches right now and companies can't just sit back and do nothing.
Responses have been edited and condensed.