The past year has seen near-constant revelations of large, well-respected institutions suffering cyber-attacks. The most damaging attacks, however, often never make it into the media. Yes, political hacktivists brag about Web pages defaced and customer information released over the Internet, but companies rarely reveal the attacks that result in the loss of valuable intellectual property — business plans, proprietary technologies or fraudulent payments. These attacks can be devastating. Some companies have seen "bet-the-company" manufacturing technologies replicated overseas just days or weeks after putting them into production.
These attacks are increasing in number, even as companies increase investments in security technologies, improve their capabilities, and tighten policies. Why? In part, the continued migration of business value online has attracted more capable malevolent actors, including hacktivists seeking to score political points, national intelligence agencies looking for economic advantage, and cyber-criminals looking to engage in fraudulent transactions.
Despite these risks, companies' technology environments are more open and connected than ever before. They sell to customers online, interconnect their systems with those of business partners, and enable their employees to collaborate using mobile applications. This means that cyber-security cannot be seen as a separate business function. It is interwoven throughout all your most important business processes, whether it's account opening in financial services or reporting patient test results in healthcare. And the users of those processes — your own customers and employees — are your greatest vulnerability. They share passwords, click on infected emails, and forward sensitive data to the wrong recipients.
While security technologies like data loss protection can help, substantially reducing the risk of losing valuable information requires changing user behavior. You can make customers provide more rigorous authentication before they make a transaction, or have managers limit distribution of sensitive plans. Unfortunately, though, it's all too easy to grind your business to a halt with doctrinaire security policies. As one chief information security officer for a global bank said, "If we did all the security checks we'd like to before connecting with new hedge fund customers, they would just take their business across the street."
We've found that you can strike a better balance by asking these three questions about cyber-security:
1. How do we strike the right balance between secure online transactions and a great online customer experience?
There's an inherent tension between more rigorous sign-on, such as sending a one-time passcode to the customer's mobile phone, and customer convenience. Some companies have moved beyond just assuming that tighter security policies are unacceptable and have started to make security decisions based on customer research from focus groups and user labs. Going forward, we believe that more companies will offer options, requiring a baseline level of protection for everyone, but also allowing customers themselves to make trade-offs between convenience and the security of their data. Offering multi-factor authentication as an option to security-conscious customers is one possibility, or requiring it of high net worth customers who may be particular targets for cyber-criminals.
2. How do we protect intellectual property and other sensitive business information while also encouraging collaboration in product development processes?
Intellectual property and other proprietary information represent some of the highest-stakes cyber-security challenges. Loss of information about a proprietary production process to an off-shore competitor could reduce profits by hundreds of millions of dollars per year. At the same time, the free exchange of information, cross-pollination of ideas across business functions, and cooperation with outside partners make it harder to control sensitive information or find the source of a breach when one occurs. Many companies have started to tier product development efforts, making distinctions about the extent of information sharing allowed based on the degree to which a competitor would be able to exploit sensitive information. For their most sensitive projects, they are providing specialized information security training and sometimes investing in technologies such as digital rights management so only authorized personnel can see a product plan, no matter where it's forwarded.
3. How do we make sure partners protect our data while continuing to optimize our supply chain?
Almost all companies have to share sensitive data with vendors and channel partners to operate modern supply chains smoothly. Manufacturing partners need to understand volume forecasts, and promotions often depend on proprietary customer insights, for example. Companies are adopting a variety of techniques to make sharing more secure and effective:
- Segmenting information so they don't have to make an all-or-nothing decision about whether to outsource a particular function. For example, some companies are looking into moving development and test environments to public cloud offerings, even though security concerns require them to host production applications internally.
- Building security requirements into contracting processes, so they communicate expectations and understand vendor capabilities before they sign a deal.
- "Leaning out" processes for performing security reviews before they connect with customer networks, so that they assess potential risks without delaying customer onboarding. It's not less security — it's the same amount of security implemented via a cleaner process.
- Incorporating vendors and other business partners into internal war games that test an organization's ability to respond to a cyber-attack.
As digital business becomes ever more pervasive, cyber risk management will become for most companies what financial risk management is for banks: a core part of all important business processes that requires senior engagement in the trade-offs involved.