This is an era of reckoning for companies that collect, own and broker data.
By Dr. Charla Griffy-Brown
Investors have punished Facebook, which lost 15 percent of its value in the month since it became known that millions of people had their data mined by political marketing firm Cambridge Analytica. In the court of public opinion, data companies are taking financial hits and large social media movements like #deletefacebook have exploded. And Congress, at the end of their rope with data misuse, is all but certain to pass tough regulations affecting Facebook and many other companies.
But this is bitter justice for the billions of people whose information has been compromised.
Be it a data breach, such as Equifax, or an ill-conceived access policy, such as Facebook, too many companies with too much information are operating with too little regard for their users. Companies that make money leveraging data must put trust back into the center of their business models. Users and their data are the product and, whether good or bad, data intelligence experts are the overlords. Trust will continue to gain premium value in the data marketplace.
All that said, I believe there is another serious risk that is being overlooked.
Businesses, especially small and mid-sized firms, need a new approach to secure our digital environment. In the interconnected marketplace of the 21st century, any firm that is not addressing cyber risk is compromising those they work with as well as their customers. There are 8.4 billion connected devices and the global cost attributable to cybercrime some estimate to be $2 trillion USD by 2020.
Given that many modern-day business operations are reliant on data, all enterprises are at tremendous risk – especially small and medium businesses and non-profits. Obscurity is not a defense. To protect their financial future, they need to adjust their thinking from considering this is just a technology issue to understanding it is a risk and people issue.
I follow cybersecurity issues closely, work with countless companies and teach about cybersecurity in an academic setting. On a regular basis, I am approached by executives who worry that they are losing the battle against increasingly sophisticated attacks. While not a complete solution, here are three topline learnings that I think are important, especially for small and mid-sized firms:
Do not skimp on resources. Research I published in the Journal of Applied Business and Economics, based on interviews with more than 200 executives, found most companies create a cybersecurity approach that aims to meet audit requirements or regulations. However, a routine audit is very different from a cyberattack. This minimal approach is like saying that paying your taxes will position you for retirement. We all should pay our taxes but if we don’t save and invest we are not going to be able to retire. In many cases a primary impediment to more robust protection appears to be the C-suite, who do not fully comprehend the importance of security for strategic development of the business.
In this day and age, denial and ignorance are not acceptable defenses. Executives and board members should know that increasing threats are coming– they come from multiple directions and are coordinated across multiple parts of the company or an entire industry. Many companies do not pay attention to the basics and are fighting a stealthy opponent without a strategy or nearly enough up-front investment.
Adopt a risk-based approach. Many small and mid-size firms operate in a completely reactive environment, without metrics to aid in following what is happening in the IT environment with respect to information security. Companies that simply block and tackle after criminal behavior has occurred, often without early detection, are already at a competitive disadvantage. However, companies that adopt a risk-based approach use to big data and behavioral analytics and position themselves for potential threats. They are proactive, adopting a multi-layered security and risk-based approach, using behavior analytics, linking events across multiple disciplines and using dynamic InfoSec and IT Audit controls in the environment. These companies are able to capture upside and downside risk to create new value for the company by creating trust. They protect their bottom-line and increase their topline at the same time with a risk-based approach.
Have a game plan and practice it frequently. In order to understand how a business is aligned to emerging threats, companies should constantly practice for when things go wrong. Armed with an understanding of risk, companies should deploy systemic solutions that are agile and enable businesses to capture new value that comes with emerging technologies. The process of addressing cyber risk must be practiced across the enterprise.
As news reports have made clear, cybercriminals are easily evading traditional technology-based security systems. A new approach is required given the growing complexity of enterprise architecture, which now typically includes third-party providers, the cloud and the Internet of Things. Companies must protect an environment without a perimeter – one that is agile and can adapt to future tools. In this environment they must constantly evaluate risk, protect critical assets and build trust.
Dr. Charla Griffy-Brown is Professor, Information Systems and Technology Management and Academic Director, Fully-Employed MBA Program at Pepperdine Graziadio Business School. She is also Editor-in-Chief, Technology in Society, an international Journal published by Elsevier.