Used for extortion and industrial espionage or sold for criminal purpose, corporate data today is at the centre of a vast global traffic worth billions of dollars. With data becoming highly valuable, cyber-pirates are on the look out for vulnerabilities, targeting all types of companies across all sectors. Banks, e-commerce as well as manufacturing companies, multinationals and SMBs, everyone is under the threat of an attack.
As companies adapt to the digital transformation and set up the dematerialisation of processes, data has become a key element of corporate strategy and ensuring its confidentiality has never been so important. Information is, indeed, at the heart of companies’ operations. Whether it is in the context of a merger/acquisition, a R&D programme or a development strategy, companies hold thousands (or even millions) of data that they disseminate within or outside the company.
However, while most companies have already invested in many security solutions (anti-virus, firewall, IDS, anti-spam…), their data is not always as safe as they believe. Threats increase by the day and become increasingly sophisticated, exposing companies’ vulnerabilities.
The data theft stories regularly published in the media highlight that, more than ever, companies need to question their security systems. Following a recent high profile data theft, the CEO of the British Internet service provider TalkTalk admitted that their customers’ sensitive data ‘was not encrypted’. Recently, VTech, the toy manufacturer, announced that 4.8 million of parents’ accounts and 6.3 million of children’s profiles had been stolen. Troy Hunt, an Australian security expert, mentioned in the media that the systems he analysed were equipped with 5-year-old technology. It is not uncommon to see companies with obsolete systems, which put them at risk, since they do not have the correct tools to protect themselves. The manufacturer also conceded that its database was not as secure as it should have been. An acknowledgment far from reassuring for those whose data was stolen.
Recent IT developments have profoundly changed the way companies operate with the volume of data increasing rapidly and the management of information changing. With emails, broadband and mobility becoming mainstream, companies have increased their productivity and have extended their scope of work beyond their borders. However, the pace of data digitisation and the ever-increasing security needs associated with it have caught some companies by surprise making it a flaw exploited by cyber-pirates.
Often forgotten, the human aspect is a risk factor for companies. Phishing attacks, extortion of information by scammers, loss or theft of companies’ laptops are just some examples that reveal the contradiction between the sense of security felt by many employees and the actual risks associated with unintentional errors. Another source of vulnerability for companies is the email, one of the most frequently used means of corporate communication. Security breaches may originate from any service, at any level – from the CEO to an assistant. Companies must respond to this issue by raising awareness amongst their employees, explaining the risks and challenges.
Apart from the reputational risk and the potential loss of business, data theft, due to lack of security, exposes companies to legal risks. While the European law already imposes a duty of safeguarding and requires companies to take “all the appropriate technical and organisational measures”, the French state is also keen to see companies set good practice for data management. The ‘Digital Republic’ bill, drafted last year, gives new powers to the Cnil (Commission nationale de l’informatique et des libertés) allowing the organisation to impose financial penalties to companies that lost personal data.
Underestimating the importance of data security exposes companies to multidimensional and can also jeopardise their long-term development. It is, therefore, crucial for companies to have in place a rigorous and transparent security policy, which includes protection tools adapted to their needs.
Recommendations to counter all possible threats
- – Integrate the security dimension as early as possible when defining your digital strategy
According to a Roland Berger Strategy Consultants, if 57% of companies identify digital as a mid-term strategic focus, only 36% of them have actually formalised an adapted strategy, despite the fact that multichannel strategy, customer relationship and optimised internal processes increasingly rely on dematerialisation. A strict definition of objectives is key and securing dematerialised data – crucial to the success of the strategy – must be included early in the process.
- – Avoid digital paranoia
There are risks and cyber pirates are on the lookout. But it is crucial not to develop a digital fear which would be counter productive and would limit companies’ development opportunities. There are data protection tools adapted to companies’ needs that secure shared and stored data.
- – Set up a security policy accessible to all
As in any transformation project that marks a rupture, resistance to change is an important factor. The security element that must accompany this change can be perceived as complex and burdensome, slowing down employees trying to reach their sales objectives. For an optimal result, the platforms selected by companies must be easily integrated in the work environment to ensure a high level of acceptation by users, while meeting companies’ security needs.
- – Develop training courses on security issues
Let’s not forget that in many cases, the security breach comes from within the company. New security norms must be created and all employees, whatever their title and job, must get adequate training. Threats, risks and security measures that employees might have to face must be part of any training course.
- – Prevent rather than react
In 2014, 55% of French companies were reported to have fallen victims to fraud. A strong figure that reminds us of a stark reality: everyone should be concerned. It is not so much a matter of if, but when an attack takes place. According to a recent study by CXP, companies prioritise investments in detection and reaction service, then comes the implementation of solutions, and last, prevention. Time and cost are two factors that should also be taken into consideration. It takes on average 46 days to fix the damage of a cyber attack, and costs can reach up to USD 3.79 million per attack. Choosing to deal with the damage caused by a cyber attack, rather than prevent it from happening constitutes an obsolete security policy. Waiting is just not an option anymore.
- – Do not reject Cloud solutions for security reasons
While various solutions are currently available, the Cloud has become over the last few years a solution offering much needed flexibility and reliability. It is important to choose a solution that allows the storage of data in certified data centres, in the country where the supplier operates, so that data do not leave the country. Some platforms in the Cloud also include multiple and sophisticated security features such as data encryptions on the server and during transfer, an administrator and supplier protection, as well as a multi-level authentication, to ensure optimal security.