The Cyber Attack Conundrum
With new reports of major cyber attacks hitting the headlines on an almost weekly basis, it is understandably every company’s worst fear. Yet the risk of computer network hacks has been a dangerous area of vulnerability for organizations ever since data went digital.
In fact, data on customers, employees, or business partners has been stored digitally for a long time but a lot of that data used to reside in closed-off silos that were not connected to each other, never mind being connected to the Internet in any way. When interconnectivity of these networks developed through and over the Internet, the threat from cyber attacks grew precipitously, spawning the birth of the cyber security industry.
An All-Digital Environment
Now, with the majority of financial services being provided in an all-digital environment (i.e., no paperwork is necessary at all), it has become much easier for criminals to leverage any data that they obtain through illicit means. For example, opening a bank account or obtaining a credit card used to require a personal visit to a local bank branch, showing your driver’s license, and verifying matching signatures. Now, the same can often be achieved online if you have access to certain data (e.g., social security number, date of birth) or someone’s email account. All of these developments together have resulted in cyber security breaches resulting in far greater damage to the victims and, conversely, far greater rewards for the perpetrators.
Yet, it is also true that not all cyber attacks are equal in severity. From a legal perspective in the United States, the highest severity of a cyber attack is when personal health information (often referred to as “PHI” and containing data on someone’s medical conditions or prescriptions) is stolen. Most states have laws that mandate immediate disclosures and fines when such data gets into the wrong hands. Personally identifiable information (often referred to as “PII” and containing social security number or date of birth) that is stolen also falls under strict mandates in most states, with laws and regulations governing how an organization must respond. The number of people affected of course also determines the severity of a cyber attack but the type of data that is stolen governs what sets of laws will come into play.
Protecting Your Data
As the complexity of cyber attacks also continues to increase, it is important to recognize that there are no silver bullets when it comes to cyber security solutions. However, one key step an organization can take to protect their client’s data is to appoint someone on the management team as a Chief Information Security Officer (“CISO”) and provide that person with the resources (staff and budget) to enable them to proactively protect all sensitive data in the organization. In addition, the board of directors should regularly question management’s commitment to protecting such data and establish quantifiable metrics for its oversight. Large global organizations should continue to work with their existing information technology vendors and partners to establish what protections are currently in place or should be put in place. Additionally, industry trade organizations regularly publish data governance standards that may affect the financial services or the insurance or manufacturing sectors, so cyber security solutions put in place need to be somewhat open to take changing standards into account. At the same time, any cyber security solution an organization implements needs to be tailored to their own needs and operating environment.
One of the surprising things I continue to see, even with incidences of cyber attack seeming to reach a fever pitch in recent months, is that many organizations still do not believe they are a potential target since they do not consider themselves a “high profile” company. Yet, they absolutely make sure all their doors are locked every night. Firms must continue to invest in cyber security defenses. Unfortunately, just as most software programs have become easier to use for everyday consumers, cyber hacking tools have become easier to use for criminals as well. As such, organizations of every size and stripe can become an unsuspecting target of a cyber attack that will be devastating for its customers, employees and bottom line.