The complexities of a company's technology infrastructure normally cause the eyes of even the most attentive and conscientious board director to glaze over. But a surge in sophisticated hacker attacks aimed at accessing confidential company information and sensitive customer details has caused CEOs and boards to ask serious questions about the safety of data.
The risk to companies from data breaches is not limited to the potential loss of intellectual property or confidential information. Companies face huge risks to the reputation of their brand if the personal or financial details of their customers are accessed by unauthorised individuals.
While the chief executive or chairman may not normally be required to understand all the inner workings of the company's IT systems, they are the ones who will first have to face up to the media and angry customers to explain what has happened and what the company will be doing about it. And the Privacy Commissioner will normally be hot on the heels of the media and customers.
Data breaches are nothing new. Protecting customer credit card details and other personal information has always been a legal requirement and an important role for any chief information officer. But, in the current environment, things are changing fast and companies are no longer dealing with isolated incidents of laptops left on trains or personal files inadvertently thrown into dumpsters.
Increasingly sophisticated and large-scale hacking attacks are now targeting credit card information and identity details held by companies around the world. But perhaps of most concern for executives is that the greatest danger could lie within their own organisation.
A disgruntled employee who accesses and distributes data normally gets far less media attention but can be just as dangerous.
In one case, an employee of a company leaving to join a competitor downloaded sensitive data onto a USB key. When his managers became aware of this, they retrieved the key via a court order but the employee had already printed out the data on a home computer. The files stolen would have reached about half the height of Sydney's AMP tower if they had all been printed.
There are several steps that boards and senior executive teams should be considering, to protect themselves against data breaches.
Data leakage prevention software is a given, as is intrusion detection software. But the key is creating a culture of awareness, and implementing clear, comprehensive policies regarding the security of data. That needs to be reinforced by training to make sure employees understand the policies and know that they are being monitored if they download or send large quantities of data out of the company's system. Above all, employees need to understand the reputational consequences for their own companies if they fail to ensure data is kept secure.
Getting system configurations right is also key. The log-in accounts of employees who have left the company should be deactivated straight away and remote access tokens recovered. Login details should be individualised as much as possible and steps taken to ensure they are not shared around with different employees. And where sensitive customer data is stored by a company, systems should, ideally, be able to record who accesses each customer record and when.
If the worst does happen, companies should take four key steps if there is a breach that could involve customers' personal data.
Containment of the breach comes first. Companies then need to evaluate the risk. That means determining what personal information of customers may be involved, the extent of the breach, and what harm may be caused to customers. The third step is to consider whether any customers need to be notified. Unlike in California, and many other US states, where notification of breaches is mandatory, companies have no legal obligation in Australia to notify customers of breaches.
But the Australian Privacy Commissioner does recommend that companies notify individuals if there is a real risk of serious harm to them, such as financial harm, identity theft, or even the threat of violence. Notification can sometimes mitigate the damage caused, and it can also bolster a sense of transparency. But that must be balanced against the risk of causing undue distress.
Last, a company should put in place a long-term-remedy plan and take all steps needed to ensure a breach won't happen again. Through the whole process, it is critical for the boards and senior teams to have a clear, concise and transparent plan for communication with the media and customers.
Google has talked openly about its systems being hacked. It has placed the focus on the motives and behaviour of the hackers, and emphasised that no system can ever be 100 per cent foolproof. Other organisations have let the shutters fall and made their response, or lack of it, become the story. MIS Australia
Gavin Smith is a partner in Allens Arthur Robinson's media and technology team.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.