Why CEOs Should Worry About Data Leaks
CEOs are aware that losing IP and data devastates brand, business reputation and finally the entire company. But only a few are committed to a cybersecurity strategy for protecting their digital assets. When the CEO’s skin is in the game why do they fall short?
Business processes, today, rely heavily on enterprise-wide data and operations hubs, such as SAP, to handle the complete life cycle of product development, finance, customer relationship, human resource, and many other processes. These hubs and the applications contained therein, store and transact vast amounts of business-critical information. Users have long realized that their business revolves around such information. However, most users are unaware of a hidden danger – data leaks due to multiple reasons, especially due to uncontrolled user downloads and data flows in the background.
In these days of heightened security challenges coming across in all forms, technology, and human, one cannot be too sure against the array of challenges. But, as our research and experience proves, the greatest is the human factor – especially caused by the one weak link in the security chain – malicious or otherwise.
Typically, across organizations application owners and users are aware of security risks, but sustainable remediation often seems to fail due to lack of budgets and resources. CISOs, who are responsible for resolving such issues, usually do not have their own resources and hardly receive any support from IT operations as IT resources are already stretched thin across other priority projects. While the CIO still relies on his specialists on such problems, the issue finally ends up on the tables of the CEO. As seen in the examples above, although they are perceived to be much too far away from this issue, they are the ones who are directly in the line of fire in case of a data breach.
Working towards data security is a ‘balancing act’. Most CEOs do not give this issue the attention that it deserves as when it comes to choosing valuable resources, such as time and money, between business impacting projects and regulation driven ones such as data security compliance, the bottom line comes top. Hence, despite awareness, other ‘business enabling’ projects take priority at the cost of a vital necessity till such time when an inevitable data leak occurs impacting the brand, operations and ultimately the business itself.
What does it mean to lose data
Losing data is the CXO community’s collective nightmare. Global media is replete with instances of data leakage debacles. Who has forgotten the Anthony Levandowski episode, the Google employee who stole Waymo’s ‘intelligent car’ IP and sold it to Uber? And Jason Needham who stole information from his former employer Allen & Hoshall to start his own firm. Profit-and-Patriotism stories are popular too – Jiaqiang Xu, the perfect IBM employee who stole IP to sell to China, and Dejan Karabasevic who stole proprietary technology data from his ex-employer, AMSC, and sold the same to the Chinese wind turbine company, Sinovel.
The impact of such loss is all too well-known. To put a number to the impact of such incidents, a report by inforsecurity-magazine.com states, “Small and medium businesses lose up to $40,000 on average from fraudulent activity by employees, while the figure for enterprises exceeds $1.3 million.” However, what is truly damning is that the loss of IP and other critical information is tantamount to a loss of trust in the brand. This is the one thing that the CEO can ill afford to lose.
According to a report by Accenture last year (State of Cyber Resilience Report), CEOs have a direct role in instituting robust data security practices in their organizations – and this includes the control of relevant budgets. Thus, for the serious CEO who runs the business, it is a decisive call.
What should CEOs do?
Data security is a collective game. The serious CEO needs to approach the issue encompassing all relevant practices and technologies. While it is under the direct prerogative of the CIO and CISO to issue policies and execute data security practices, the CEO’s mandate should ensure rolling out and adherence to organization-wide policies that bring company-wide awareness to Governance Risk and Compliance issues and regulations. At a direct level, CEOs must empower the IT security leadership team. Management and IT must work together – and the CEO should influence this.
In today’s world of data-centric operations and business processes, it stands in every CEOs good stead to be completely informed about the need to ensure safeguards against data leaks. Protection of IP is as important as the creation of new ones.
If you are a CEO, your skin is in the game.
Visibility – The first step towards robust security
The first step in having a robust data security practice is to be able to view the who, what, where, and when of any given data transaction. Having this capability, data security managers can identify insider threats amongst employees or contractors. The data retrieved in the audit log will clearly tell if malicious employees have unforeseen access to sensitive information. This pure visibility into business activities allows an enterprise to isolate their internal threats and close the gaps in security for optimal data integrity.
SECUDE’s HALOCORE provides a dedicated data protection solution for SAP. If you head an organization that uses SAP, you should about how to protect data egressing from your enterprise here.