The Reputational Impact of It Risk
Total Page:16
File Type:pdf, Size:1020Kb
FALLOUT THE REPUTATIONAL IMPACT OF IT RISK IN ASSOCIATION WITH: CONTENTS Executive Summary ..............................................................................................................................................2 Introduction: The Black Friday data breach .................................................................................................3 Where the Risks Are: From Human Error to System Failure ................................................................ 5 Sidebar: The Promise and Perils of the Cloud............................................................................................11 Protecting Your Reputation in the Always-On World ............................................................................12 Conclusion ..............................................................................................................................................................18 Acknowledgments...............................................................................................................................................19 EXECUTIVE SUMMARY U.S. retailers were not the first to su!er a massive data breach. Nor will they be the last, as cyber attacks, security breaches and system outages proliferate. Shadow technology and expanding supply chains bring more risks. How can companies better protect their reputation by ensuring the continuous—and secure—flow of information to support their business? After all, a major part of the brand experience for most customers comes through the technology that delivers or supports the business. When that technology doesn’t work, it’s not just a problem for the tech team; an organization’s reputation can su!er, and reputation is a board-level concern. Security and resilience a!ect nearly every part of an organization in the always-on world. Working through the challenges of emerging technologies, such as implementing a cloud strategy, can be a means to reassess not only data storage and transmission but any business function that requires data: compliance, finance and human resources, for example. Strategies to protect IT security and business resilience can align with a company’s broader corporate goals—from protecting intellectual property to maximizing productivity to minimizing customer defections. Cost of the users’ idle time and lost productivity because of downtime or system performance Cost forensics to determine the root causes of disruptions Cost of technical support to restore systems to an operational state Cost associated with reputation and brand damage Revenues lost because of system availability problems Cost associated with compliance or regulatory failure 2 | FALLOUT INTRODUCTION The holiday data breach at U.S. retailers gives new Technology professionals and business continuity meaning to the term Black Friday. Just as merchants experts know how expensive an IT security breakdown entered into their busiest shopping season, malware or business disruption can be. Lost revenues, downtime installed through a third-party vendor on credit card read- and the cost of restoring systems can accrue at the rate ers began uploading credit and debit card data to cyber of $50,000 per minute for a minor disruption, accord- thieves. From just before Thanksgiving until shortly after ing to the business continuity and IT security executives the U.S. Justice Department became involved in mid- who responded to the IBM Global Study on the Economic December, hackers made o! with data from at least 40 Impact of IT Risk conducted by Ponemon Institute. But million accounts, including PIN numbers for debit cards. what about the greater toll a sustained outage or major Forensics revealed that the names, addresses and phone security breach can take on a company’s reputation? numbers of tens of millions of customers had also been compromised. That number could grow as the investi- Firms surveyed in a similar IBM study conducted in gation continues and more retailers become aware of the 2012 reported that the reputational damage lasts months— extent of the breaches. far longer than recovery times and long enough to a!ect quarterly results in most cases. For a major incident, such as In the weeks before Christmas, sales fell sharply the data breach su!ered by U.S. retailers, the e!ects could at a!ected stores. There was no business disruption at last years. Reputation has always been a thorny thing to the stores or the back o"ce, but there was for many of value in dollar terms. But there are costs associated with a the retailers’ customers. Some started seeing fraudulent disruption or breach that can be measured (Fig. 1). charges on their credit cards. Several card-issuing banks canceled all accounts that may have been compromised by the breach. Others added new credit limits, leaving customers without a credit card during the holidays. Retailers will be on the hook for many of those costs. Expenses related to the data breach are forecast to reach into the billions. FIGURE 1. SUBSTANTIAL DISRUPTIONS POSE THE GREATEST RISK TO REPUTATION AND BRAND VALUE Cost of the users’ idle time and lost productivity because of downtime or system performance 15 36 35 Cost forensics to determine the root causes of disruptions 9 20 25 Cost of technical support to restore systems to an operational state 7 17 28 Cost associated with reputation and brand damage 37 11 2 Revenues lost because of system availability problems 22 12 4 Substantial Cost associated with compliance Moderate 10 4 5 or regulatory failure Minor For each of the three levels of disruption (minor, moderate and substantial), respondents were asked to use a 100-point scale to apportion total costs across these six cost categories. Source: The economics of IT risk and reputation: What business continuity and IT security really mean to your organization, September 2013 COPYRIGHT © 2014 FORBES INSIGHTS | 3 If customers can’t log on to your site, you not report. According to McAfee Chief Technology O"cer only lose a sale today, but you also risk losing future Michael Fey, defending against such an attack doesn’t business, particularly for retailers. For #nancial institutions, require a new silver bullet; it requires a cost-e!ective way a security breach can scare away customers and open the of deploying technology that already exists. And the door to fraud. A network outage for any telecom or IT problems persist; another retailer reported a fresh attack as company may leave clients wondering why they should late as March 2014. trust their own reputation to a vendor who might make them look incompetent. This is particularly true for the “You will be held accountable for what you did or providers and the users of cloud technology. didn’t do in the months and years leading up to a crisis,” explains Prof. Daniel Diermeier, the IBM Professor of Winning back trust also has a cost. Just ask the sta! Regulation and Competitive Practice at the Department at retailers who worked around the clock through the of Managerial Economics and Decision Sciences at the Christmas holiday, trying to answer questions from Kellogg School of Management. “You are only as good customers and the press. The retailers involved are trying as the decisions you made when you put your systems hard to put their customers #rst by promising zero-lia- in place.” bility protection for any fraudulent activity as a result of the breach. But the head of any organization would be How can companies better protect themselves wondering at this point: “What could we have done against cyber attacks, security breaches, data loss, system di!erently before this happened?” outages and the most di"cult-to-control threat: human error? What new risks does the cloud bring? How do The retailers involved still have many questions to executives view the risks that these failures can pose to answer. The malware used in at least one attack was a rela- their company’s reputation? tively unsophisticated, o!-the-shelf exploit kit that can be easily modi#ed and redistributed with little programming skill or knowledge of malware functionality, says soft- ware security #rm McAfee in its fourth-quarter security 4 | FALLOUT WHERE THE RISKS ARE HUMAN ERROR “The biggest business risk for us and for most compa- For business continuity managers, the potential impact nies is a data breach or system failure,” says Patricia Titus, of human error looks broader and deeper as the world Chief Information Security O"cer of Freddie Mac. “But becomes more social and interconnected, says Paige the biggest challenge is the potential for human error.” Poore, Director, Global Business Continuity Management for IBM. “From a process perspective, from an IT In fact, human error is named as the threat with the perspective, it becomes clear that an organization highest economic impact by the IBM study. Whether it’s a needs a single integrated risk management strategy for fat #nger hitting the wrong key or someone spilling co!ee business continuity and IT risk that is supported and on the server, human error is responsible for nearly a third executed across the enterprise.” of IT disruptions—the leading cause. “We can secure the doors, we can button down the system, we can put on behavior and insider threat detection and employ counter- intelligence,” says Titus. “But we also have to remember how vulnerable an entire system can be to one person making a mistake.” FIGURE 2. AVERAGE NUMBER OF DISRUPTIONS OVER THE PAST 24 MONTHS CAUSED BY SIX COMMON THREATS Human error 9.5 IT system failure 5.5