There are a number of ways in which data security can directly affect company value. The ones that grab the headlines are those where data insecurity is exposed in court. Others include the costs of being hacked and the opportunity costs of simply not managing data well.
The cost of falling foul of regulators, with a case that ended up in court and on the front pages, was amply demonstrated in May 2005. Coleman (Parent) Holdings successfully sued Morgan Stanley, alleging the bank fraudulently influenced it to sell one of its companies to Sunbeam. “During the discovery phase of the litigation, Morgan Stanley overwrote e-mails, failed to timely process hundreds of DLT and 8mm tapes, and failed to produce relevant e-mails and their attachments,” explains Michael Taylor, legal consultant at legal technologies services provider Kroll Ontrack. “As a result, the jury awarded $1.45bn in damages against Morgan Stanley and the bank offered to pay the Securities and Exchange Commission (SEC) $15m to settle an investigation by the regulator into an alleged failure by the firm to produce e-mail evidence during a legal dispute.”
Clearly, the issue here is an organisation’s duty to store and produce electronic data when litigation occurs. It is equally clear that if a company has not properly saved documentation (paper or electronic) and does not provide requisite data to court, it stands to receive massive multimillion pound punitive fines or even criminal prosecution. However, in spite of such high profile cases, it is debatable as to whether the message is getting through. According to DISUK’s “Paranoia Audit’, only a third of worldwide IT directors and managers say that the wave of high-profile data losses during 2005 has changed their company’s approach to backup security.
Perhaps part of the problem may be that very often companies are not aware of the risks they are taking because they are not aware of the depth to which they should go in managing documents and messages. For example, electronic documents contain information that, if inadvertently leaked, can have a big impact on reputation and value too. One such security breach involved pharmaceutical giant Merck. “Incriminating data regarding the link between heart attacks and the use of Vioxx, a drug manufactured by Merck, was discovered deleted from Merck’s study submission to the New England Journal of Medicine,” explains Ken Rutsky, VP marketing at Workshare, a company that produces software for managing “outbound’ data and content. “The deleted content was revealed through a simple ’Track Changes’ manipulation in Microsoft Word. The discovery had severe repercussions for the company’s reputation and it is no coincidence that today, Merck faces more than 13,000 Vioxx-related lawsuits.”
When it comes to assessing the costs of being hacked, it is hard to point to a precise figure, but not hard to indicate the scale of the risk. “In July, Sophos revealed that it has seen more than 40,000 new pieces of malware in the past 12 months,” says Graham Cluley, senior technology consultant at Sophos. Traditional methods such as viruses and worms are now being outnumbered 4 to1 by Trojan horses, which download malicious code, spy on users, steal information or gain unauthorised access to computers.” Internal fraud appears to be increasing both in terms of volume and scale, too.
Alternatively, according to the UK government’s Department for Trade and Industry’s Information Security Breaches Survey 2006, well over two-thirds of all businesses of any size report having had security incidents in the 12 months. Further, the number of reported incidents is rising. The median number of incidents suffered is roughly eight a year. This has increased from two years ago. The cost associated with security incidents has also risen. In 2004, the average cost of a UK company’s worst incident was roughly £10,000; it is now £12,000. The report adds that few companies have a “security-aware” culture. Security expenditure is either low or not targeted at key risks.
The DTI recommends the development of a risk-based approach to information security, lest companies find themselves fighting yesterday’s data security battles. Moreover, it highlights new risks that are arguably even more dangerous to reputation and value. The report says: “UK companies are also poorly placed to deal with identity theft; only 1 per cent have a comprehensive approach to identity management (authentication, access control and user provisioning).” It continues: “84 per cent say there is no business requirement to improve this. As more customers and suppliers are granted direct access to corporate systems, this will represent an increasing exposure.”
Finally, there is the matter of opportunity costs. This, again, is a speculative assessment, but for all that should be part of the business case. Martin Gibbon, head of risk at SAS UK, points to three key areas: “Most importantly, there will be reductions in fraud losses. Organisations will be able to see the levels of fraud that existed within their operations and will therefore see the return on the investment.”
The second area is the creation of what he calls “a resilient organisation”, one that will not fold when a severe event occurs. The idea is that the perpetual adoption of steps to minimise risks to company data will, in turn, build defiance into the culture of the organisation. The principle is that determination to fight fraud or comply with regulatory frameworks needs to be tackled culturally as well as a technologically.
Finally, there is the reduction in reputational risks. “Fraud is extremely damaging to an organisation’s reputation, potentially scaring customers away whilst also affecting new business,” he warns.
The issue that the company faces when defining its strategy for implementing data management is how to ensure that security considerations are woven into the business case and that security is built into the eventual solution. ”One thing is clear,” concludes John Redeyoff, director of information security at NCC Group, a specialist IT security company: “You can’t implement your data management strategy and then add in information security as an afterthought.”