“Global Network of Hackers Steal $45 Million from ATMs”; “PlayStation Network Attacks May Cost …”; “Foxy data leak sparks staff security alert”; “USB flash drive with patients’ info missing at HK clinic”.
These are the kinds of headlines that may result in brand damage, financial loss, a drop in market share, even cost many chief executives their jobs.
Today’s business environment relies on digital technology to function; it brings great opportunity as well as risk.
Organizations face higher security risks compared with the past but many still view this topic as something that either does not affect them or is not important enough to warrant their time or resources.
The number of privacy complaints has risen from 1,001 in 2009 to 1,792 in 2013, a 47 percent increase in just four years.
The government implemented the amended personal data (privacy) ordinance governing the use of personal data on April 1, 2013.
This reflects the public’s growing concern for privacy and data protection and calls for organizations to address the subject more seriously.
Companies need to set up proper policy and procedures, provide training to staff, assess risk and review and update content periodically.
With the rapid growth of technology and new initiatives such as cloud computing, mobile technologies, BYOD (bring your own device) and big data analytics, risks such as data leakage, system breakdown and APT (advanced persistent threat) have emerged.
A Deloitte study shows that the average amount of time needed to resolve a cyber attack is 24 days at an average cost of US$591,780.
Another study shows that 59 percent of respondents had a data breach in the past 12 months in which 70 percent had medium to high impact.
Some experts say it is only a matter of time before an organization will experience some kind of data breach.
Can this be prevented? And if there is data leakage in your firm, how should you respond internally and externally?
The answer requires a feasibility study to identify the weakest links, data classification relating to the respective sensitivity and policies and procedures on data loss protection and automated solutions.
Firms need a strong internal control system to monitor and protect their data to ensure independence and information security
Organizations should conduct periodic assessment over their external network and internal vulnerabilities to identify potential weaknesses leading to security problems by using internal resources or hiring professional consultants.
However, cyber security is no longer just an IT issue but one that involves the board and management in the planning and monitoring process.
A top-down approach should be adopted, from the corporate level to the business units, from business processes to integrated technology and vice versa.
Since technology is evolving rapidly, organizations should review business flows and consider the integration of process with technology, such as establishing internal controls and procedures and incident response plans to reduce possible damage and minimize recovery time and cost.
Information protection regulations should be jointly enforced by the business community and government.
Regulators from different jurisdictions have started to reinforce personal data and cyber security laws and regulations.
The European Securities and Exchange Commission wants a stronger guidance on cybersecurity disclosure. Stock exchanges are implementing similar guidelines.
Many world-class institutions are complying with these rules which require them to disclose cyber security and breaches in their annual reports.
With the fast emerging technology in the cyber world, organizations should be aware of the different types of risk and how they can protect the company from viral cyber attacks as well as omissions, errors and frauds.
No security is totally fault-proof as people make mistakes while equipment do fail and threats keep evolving.
While there is no way to predict every possible threat, cyber security protection and detection is an ongoing process, not a one-off fix.
The writer is a partner at Deloitte
– Contact us at email@example.com