Quick, what do Target, Sony, and Neiman Marcus have in common? Yes, all are globally recognized brands. But lately these companies share a less enviable characteristic: they’ve all experienced large-scale data breaches, resulting in damaged reputations and millions of dollars in costs and forgone revenues.
They aren’t the only ones, of course, and many others will be joining their ranks. Information security breaches are on the rise, according to the Ponemon Institute’s annual cybercrime study. And they are expensive: the average cost of cybercrime in 2013 was $11.56 million for a U.S. company, says Ponemon.
Even an efficiently handled information security incident incurs plenty of “ancillary costs,” says Marcus J. Ranum, chief security officer at Tenable Network Security, a threat management technology provider. Among them are legal bills, compliance fines, and expenses associated with hiring forensic investigators and investing in technology.
Indeed, vendors now offer a variety of applications that can enable companies to prevent, detect, and contain computer intrusions. But there are also three simple steps that finance chiefs and their companies can take to avoid data breaches:
1. Align security with finance. While many information-security managers currently report to the CIO or the CEO, aligning security with finance fortifies the link between security investments and the company’s business objectives. “When key business decisions need to be made, this reporting structure helps ensure management makes well-informed choices to manage business risk,” says Mike Saurbaugh, manager of information security at Corning Federal Credit Union. Finance needs to make sure the security chief has accurate numbers about what a data loss could mean to the bottom line.
2. Prioritize your data. Protecting every bit of data is hardly feasible, which is why CFOs need to rally their C-suite colleagues around the process of instituting a data classification program to rank the company’s most sensitive information in its networks. For instance, in the consumer products industry, the most important assets may be formulas, patents, and manufacturing techniques. In the oil and gas industry, it may include information about exploration and industrial control systems or operational technology. “Data classification is the most important and difficult thing for companies to do,” says Bill Dean, director of security assessments and computer forensics at Sword & Shield Enterprise Security, an information security service provider. That’s because no executive wants to rank his or her department’s data as of lesser importance, says Dean. But the CFO can help them prioritize.
3. Develop and maintain a security policy. Most large companies have acceptable-use policies that outline the ways in which employees may use their networks or systems, and what the penalties for misuse are. But Dean says many companies spend too much time on the penalties and on legal disclaimers that absolve them of responsibility, and not enough time on rules concerning sensitive data. Also, a security policy should include stringent rules about passwords; according to the 2013 Verizon Data Breach Investigations Report, 76% of breaches involve weak or stolen user credentials. It’s also important to educate employees about why the policies are in place and what effect lax security habits could have on them personally, such as the theft of their Social Security numbers.