The Importance of Corporate Information Security
Operational Security (OPSEC) was a term first coined by the military meaning to keep information about operations in any format a secret. During World War II, the ad campaign “Loose lips sink ships” was used to train both American’s and military troops to keep any information about troop movements and military plans quiet as to protect troops from enemy danger. According to eyewitness to history.com, newly enlisted troops were given a pamphlet which read as follows:
“WRITING HOME – THINK! Where does the enemy get his information — information that can put you, and has put your comrades, adrift on an open sea: information that has lost battles and can lose more, unless you personally, vigilantly, perform your duty in SAFEGUARDING MILITARY INFORMATION (Eyewitness, 1997)?”
“TALK – SILENCE MEANS SECURITY — If violation of protective measures is serious within written communications it is disastrous in conversations. Protect your conversation as you do your letters, and be even more careful. A harmful letter can be nullified by censorship; loose talk is direct delivery to the enemy.
If you come home during war your lips must remain sealed and your written hand must be guided by self-imposed censorship. This takes guts. Have you got them or do you want your buddies and your country to pay the price for your showing off. You’ve faced the battle front; it’s little enough to ask you face this home front (Eyewitness, 1997).”
“CAPTURE – Most enemy intelligence comes from prisoners. If captured, you are required to give only three facts: YOUR NAME, YOUR GRADE, YOUR ARMY SERIAL NUMBER. Don’t talk, don’t try to fake stories and use every effort to destroy all papers. When you are going into an area where capture is possible, carry only essential papers and plan to destroy them prior to capture if possible. Do not carry personal letters on your person; they tell much about you, and the envelope has on it your unit and organization (Eyewitness, 1997). “
In today’s technologically innovative and globally competitive market, OPSEC is not just a military term or concept anymore. The “enemy” is everywhere and the fight to win the war on the market (whatever that market may be) is a serious feat in private and government sectors. OPSEC has expanded into other areas such as information security and computer security and businesses are learning very quickly that protecting company information and the information of their customers is perhaps the most important thing they do day to day. Why is information security management of utmost importance to today’s organizations; specifically in regards to employee training and participation?
Look back at the pamphlet given to the troops. The first category is written communication. Every business writes down significant information about their company, its vision and mission, daily operations, new ventures, and potential flaws in its product lines. How much of this information ends up on the internet or could be hacked by a company server connected to the internet? What about the printed information that ends up in the garbage, in e-mail boxes, or on fax machines? If even one competitor were to gain access to your facility, what might they find? More importantly, what is out there in cyberspace in plain view for competitors to piece together? How much information do employees share on social networking sites where their personal profiles contain their workplace information? What about resumes and job openings posted on job sites that give information about new openings for new projects?
The next category on the pamphlet is “talk – silence means security”. So much information is leaked through telephone and casual conversations. Employees are excited about that new project they are working on and they want to talk about it! Really, who is listening? Unfortunately, people generally have a high level of trust for other people. They want to believe people are good intentioned, even when they aren’t. Just how easy is it for a competitor to get information over the phone? They simply need to sound like they are a trusted party. For example, if I am a competitor working for Company A, and I want to find out if Company B is working on a new technology, I can simply look up a few contacts on the corporate website, make a few phone calls introducing myself under an alias (such as a contractor for the “special project”) and find out by piecing the information together whether Company A is working on the new technology, who the point of contact is and what other sources are party to the information.
Who is vulnerable?
Every single business large or small is vulnerable to security breaches. “Today information can be seen as a basic commodity, similar to electricity, without which many businesses simply cannot operate (Niekerk & Solms, 2010).” Few if any businesses operate within themselves without their information or their customer’s information traveling to some outside source. The internet, telephone and network lines are the mainframe for travel of information and data today. Unfortunately, none of this data can be completely protected from interception.
One primary example of data vulnerability is the Payment Card Industry (PCI) compliance standards in the hotel and retail industries. An article by Jason Freed (2010) in Hotel & Motel Management notes that the hotel industry is highly targeted by identity theft hackers, accounting for a whopping thirty-eight percent of security breach investigations noted in a 2009 Trustwave Global Security Report. The report showed that most of the security breaches came from human error and employees failing to follow basic security measures such as closing databases, securing servers, and creating user IDs and passwords that aren’t easy to guess. Many of the hotels also do not have security training for employees and outsource information technology, leaving no one on staff oversight of customer credit card data. (Freed, 2010)
What about other private company and customer data? A search through the media archives reveals laptops containing social security numbers and customer data were stolen from the Veterans Administration, social networking sites Facebook and Twitter administrator user accounts were hacked and high profile user accounts and private company data were accessed, criminals in Massachusetts figured out how to withdraw money from multiple personal credit union accounts, a stolen file server at AIG contained over a million account user’s personal data, and the most recent story of researcher Barnaby Jack demonstrating at the Black Hat security conference in Las Vegas how he hacked several different Automatic Teller Machines overwriting their code with a simple USB device causing them to spew out all contained money.
Despite the security breaches broadcasted daily in the media and in countless studies, businesses and Chief Information Officers (CIOs) remain confident that their security is adequate and are naïve to realities. A 2006 CIO Insight article by Allan Alter reports that one in three companies reported a security breach in the past year and one in four says it has been targeted by organized criminals. There were eight key findings noted in this article from a survey conducted by CIO Insight of 277 IT executive respondents from various companies. The first finding was that only 1 of 10 respondents thought that their company was at high risk for an information security risk, financial institutions reporting the most risk. The second finding was that IT executives are extremely satisfied and confident with anti-virus and anti-spy software. The third finding reported that improved enterprise-wide security strategies were in place at 78% of respondent’s companies. The fourth showed employee negligence and vulnerabilities to Microsoft programs bring the highest security risks with no change in top employee security concerns. The next finding showed a surprising 48% of the large companies surveyed had been targeted by online criminals including disgruntled ex-employees. Finding six was that companies are not doing enough to keep customer and employee data private and only half actually notified customers when their data had been compromised. Many companies are also not doing much more than password protecting their data, which isn’t enough in most cases. In the next finding a disturbing one in six companies had lost equipment containing company data in the past year and one in three respondents admits a security breach in the past year. The last finding reports most security policies are not firmly practiced in 75 % of the surveyed companies. (Alter, 2006) The results of the survey are contradictory. How can so many IT executives have faith in the system when clearly the system is failing in so many instances?
What are the costs?
“Many CEOs and CIOs are slow to invest in computer security because they do not know how to measure their Return on Investment (ROI) (D’Amico, 2000).” Security systems and software do not generate income, so it is hard for a business to rationalize what solutions are adequate. Businesses also want systems and hardware that are easy to use and security generally makes systems less usable. Van Nikerk and Von Solms (2010, p. 476) make the argument that “the goal of securing information is, to a certain extent, in conflict with the normal business goals of maximizing productivity and minimizing cost.” Perhaps if management were to invest in security programs after financing a breach, they might see the return on investment.
What happens to the company when the system fails? What are the costs of a security breach? D’Amico (2000, p. 1) points out the following tangible and intangible aspects of a breach:
Tangible (D’Amico 2000 p.1)
- Lost business, due to unavailability of the breached information resources
- Lost business, that can be traced directly to accounts fleeing to a “safer” environment
- Lost productivity of the non-IT staff, who have to work in a degraded mode, or not work at all, while the IT staff tries to contain and repair the breach
- Labor and material costs associated with the IT staff’s detection, containment, repair and reconstitution of the breached resources
- Labor costs of the IT staff and legal costs associated with the collection of forensic evidence and the prosecution of an attacker
- Public relations consulting costs, to prepare statements for the press, and answer customer questions
- Increases in insurance premiums
- Costs of defending the company in any liability suits resulting from the breached company’s failure to deliver assured information and services.
Intangible (D’Amico 2000, p.2)
- Customers’ loss of trust in the organization
- Failure to win new accounts due to bad press associated with the breach
- Competitor’s access to confidential or proprietary information
There are other possible losses not mentioned here including stock prices falling due to lack of trust in the organization, employee morale and trust in management degraded, and most importantly the effects on the personal and financial livelihoods of the people whose private information has been revealed.
Financial losses can be the most unanticipated because nearly all of the costs, intangible or tangible, have a significant associated financial consequence for the organization. Dependent on the type of breach and the amount of data compromised, security breaches can cost anywhere from $90.00 to $350.00 per record according to Forrester research not including the intangible losses. (D’Amico 2000) If the breach is significant, it can force a business into bankruptcy so it is important for executives to estimate the cost of a possible breach based on various research studies and the amount of data protected and factor this into the company’s financial plan.
Why does this happen?
After decades of research, data, and improvement in security technology one would think that it is possible for a business to have a good chance of avoiding a security breach. Unfortunately, along with technological advancement come increased vulnerabilities in computer systems. Hackers and coders are updating their technology and innovations faster than most companies update their own. Anti-virus and anti-malware software can only work as well as the technicians that install and update them. If a business outsources their information technology, there is no guarantee that the employees working on local computers are ensuring security software is up to date.
Research shows the biggest threat to an organization’s security is not the security software, but the employees who work there. “Employee’s, whether intentionally or through negligence, often due to lack of knowledge, are the greatest threat to information security (VanNiekerk & VonSolms, 2010, p. 477).” Simply put in most cases employees do not have the knowledge to apply the correct security techniques every time. This threat increases if the company fails to train employees on proper security procedures and develop security policies which relay the importance of protecting corporate and customer data.
Prevention (training, stakeholders, accountability, IT upgraded/budgeted)
In an effort to protect themselves and also arm themselves with competitor information, corporations are hiring a slew of security professionals. This includes A fairly newer concept beyond that of the CIO is business intelligence. Daft (2010 p. 573) defines business intelligence as “high-tech analysis of large amounts of internal and external data to spot patterns and relationships that might be significant in helping managers to make better strategic decisions.
Albrechtsen, E., & Hovden, J. (2010). Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. Computers & Security, 29(4), 432-445. doi:10.1016/j.cose.2009.12.005
Allen, M. (2005). A day in the life of mobile data. Management Services, 49(4), 14-15. Retrieved from Business Source Complete database.
Alter, A. (2006). IT CAN’T HAPPEN HERE–BUT IT DOES. CIO Insight, (72), 41-53. Retrieved from Business Source Complete database.
Caelli, W. (2002). Trusted …or… trustworthy: the search for a new paradigm for computer and network security. Computers & Security, 21(5), 413-421. Retrieved from Business Source Complete database.
Da Veiga, A., & Eloff, J. (2010). A framework and assessment instrument for information security culture. Computers & Security, 29(2), 196-207. doi:10.1016/j.cose.2009.09.002
Davis, D. (1992). OPSEC: Not for government use only. Security Management. Retrieved from http://www.thefreelibrary.com/_/print/PrintArticle.aspx?id=11871376
D’Amico, A. (2000). What does a computer security breach really cost? Secure Decisions. Retrieved from http://www.avatier.com/files/pdfs/CostsOfBreaches-SANSInstitute.pdf
Daft, R. (2010).
Eyewitness to History. (1997). Loose lips sink ships. Retrieved from http://www.eyewitnesstohistory.com/lslips.htm
Freed, J. (2010). Create a security culture of data protection, compliance. Hotel & Motel Management, 225(5), 1-28. Retrieved from Business Source Complete database.
Straub, D.W., & Welke, R.J. (1998). Coping with systems risk: Security planning models for management decision making. MIS Quarterly, 22(4), 441-469. Retrieved from http://www.jstor.org/stable/249551
Van Niekerk, J., & Von Solms, R. (2010). Information security culture: A management perspective. Computers & Security, 29(4), 476-486. doi:10.1016/j.cose.2009.10.005