It’s Time To Change Your Company’s Security Culture to Reduce Unnecessary Costs and Departmental Silos

SonyHackBlogA year ago today, we were hearing about how Sony, the proverbial punching bag, was being targeted yet again. This time it was a hacker group trying to stop the release of the movie “The Interview”. While the Ashley Madison hack is the most prominent hack of 2015 so far, Sony is truly a case study for how a poor cybersecurity culture affects all facets of a business.

For example, when the security culture of your company enables a folder titled ‘Password’ to exist, like Sony, you’re at risk. If you’ve been continuously hacked and haven’t made any drastic changes, you’re at risk. If you’re part of the 60 percent of companies that do not have a clear and documented strategy to handle a data breach, according to an AFP Risk Survey, you’re at risk.

In the ruthless market we live in today, giving customers even the slightest chance to find fault with your product, service or company can be costly. Consumers can easily switch over to another brand.

The good news? You don’t have to be like Sony.

Remove Silos and Document Your Policies

When crisis strikes, emotions and objective thinking can go right out the window. That can lead to making an already bad situation even worse. So, how can you reduce the chances of adding even more fuel to the fire? How can you minimize the unknowns?

First, discuss with the appropriate employees any potential cybersecurity and business risks. If you don’t know who the IT person is, it’s a great opportunity to meet your co-workers. If you’re in the IT department managing security, you need to ensure that companywide, employees understand the importance of protecting your data.

In a study involving public companies, 87 percent of board members are briefed once a year, 33 percent briefed as least quarterly, and 13 percent are not briefed at all. The previous year, 29 percent said they were never briefed. With the speed in which technology changes, frequency is important. However, the decrease from 29 percent to 13 percent “not discussing security” is a sign for optimism.

Now that you’re discussing security with your boss or your employees, you can create an organized document detailing your security guidelines and best practices. This includes not just IT, but executives, accounting, marketing, human resources, and sales. Everyone is affected. This way when, not if, a crisis strikes, it’s handled with a clear course of action.

The key is to make sure everyone within the company adheres to the security policy. That’s not easy. Using examples and analogies like Sony helps put things into perspective. Thus, when that day comes, your IT team will know what to do, your marketing or communications team will know how to handle any media or customer inquiries, and the rest of your staff will know what each department is doing. Take a unified approach and make sure your employees and peers aren’t kept in the dark.

Create the Culture of IT Being a Strategic Internal Partner, Not a Cost Center

It’s still a tough sell for some businesses to view IT as a strategic internal partner. Executives, sales and other departments sometimes see endless amounts of cash flowing into their IT departments. Yes, technology and cybersecurity aren’t cheap. But, when you think about it, IT has the ability to make every day business operations easier, faster and resilient. IT should be helping sales to close more deals, protect employees’ records, streamline internal processes, and of course, ensure the network is running.

So, if you’re an executive and your IT director or manager has been bugging you about proactively designing a security strategy, you should listen or you risk opening yourself up to trouble. If you’re an IT director or manager and an employee is bugging you about implementing a security strategy, you should. Otherwise, when disaster strikes, he or she will have your job—that is if your company eventually recovers.

According to BDO, an assurance, tax, financial advisory and consulting services firm, 69 percent of corporate directors report that their board is more involved with cybersecurity than it was 12 months ago. In 2014, is was 59 percent. However, it’s not voluntarily. From the same report, 22 percent said their company experienced a cyber breach during the past two years, double from the previous year’s 11 percent.

Let’s Talk About Costs

In Sony’s case when its network went down, “employees were forced to communicate by paper memos, texts, phone calls from their personal cell phones, and temporary e-mail addresses.” Talk about a loss in productivity.

Here are some questions to consider:

  • What would your business do in this situation?
  • How much money do you think you’d lose?
  • Sony’s lost hundreds of millions of dollars. Were employees reimbursed for cell phone usage? Was any private data compromised using non-corporate email?
  • Have you thought about what would happen if your network is hacked and your employee/customer information is stolen?
  • Have you thought about the associated costs?
  • How would you manage your brand?

I can speak from personal experience. At one of my previous jobs a human resources employee’s laptop containing sensitive employee data was compromised. I was one of the affected people. My employer explained the situation, what was being done and what safeguards were in place. Due to their policies, they were absolutely confident there were no concerns, but the company provided one year of free credit reporting and identity theft in the event there was something suspicious. That costs money.

For the sake of this post, let’s use Experian’s Identity Theft Protection service. It costs $15.95 a month for individuals. That’s $191.40 a year. Now, make it a few thousand people (we’ll say 2,000). Even if Experian gave a bulk discount and it wound up running you $12 per person, it would still cost you $288,000 a year. That’s an unexpected cost. And, that’s just to cover internal employees. What if the data breach had been with customers? Oy vey – now it’s a public image issue as well. One of those images is trust.

Companies invest vast amounts of resources into marketing, sales and customer experiences in hopes to earn customers’ trust. However, when those same companies fail to protect your private information and it’s compromised, trust is gone.

 Brand Equity vs. Customer Apathy

Despite all of Sony’s blunders, it’s abundantly clear, that they’ve remained immune to the brand damage experienced by other companies that have been hacked. After Sony’s PlayStation game system was hacked in 2011 and users’ credit card numbers was put at risk, almost half, 46 percent of almost 10,000 Sony customers surveyed said their opinion of the brand didn’t change.

The gamers and in-home entertainment crowd remain loyal. Digital World Research was “surprised at how quickly user numbers spiked back online” for Sony’s network. The PlayStation 4 unit sales continued to dominate Microsoft and Nintendo.

Which brings me to ask this question: Are people becoming desensitized to hacks like this? Are you? Do we expect data breaches to happen and for companies to take care of us with free credit tracking, a discount on service, or wait for our bank to issue new cards? Do you think it will happen to someone else before it happens to you? We’re continuing to push the envelope into what information we put into the digital world. The consequences are only increasing.

But while Sony may appear to have successfully overcome the bad press that comes with a data breach, not all companies are that lucky. Overall, the public trust in companies’ security practices is low, according to a 2014 AdWeek article about how hacking can undo years of brand equity. Seventy-three percent of 2,000 respondents believe companies don’t care about keeping private data secure.

I understand nothing is ever 100 percent secure. Sooner or later, a company’s data could be breached. The exponential growth of big data makes it a given. As long as businesses step up to the plate, work to resolve and correct the situation and explain how they will work to prevent it from happening again, it’s not fair to hold it against them. However, the moment negligence is discovered, the measures a company must take to attempt to earn my forgiveness are quite extensive.

To make situations like this more complicated, companies aren’t incentivized to be on the offensive side of cybersecurity spending. One argument is the moral hazard. This means that the breaches themselves may cost less than preventing them. Why? According to a great TechRepublic article, “Data breaches may cost less than the security to prevent them”.

In plain English, companies like Sony don’t need to invest heavily in prevention because they don’t bear the brunt of the costs. When an attack occurs other organizations and people bear the expenses. Banks have to issue to new cards, insurance companies are paying claims, tax reductions are taken, and customer inconvenience is even figured into being a cost. So, the company makes enough sales and revenue they can survive and move on, but what about the smaller companies?

One answer to solving the moral hazard is increased penalties, but that requires government intervention. That is something that will only muddy the waters and probably make things worse.

The real solution is that we, as consumers, have to rise up and hold companies accountable.

As I bring this to a close, here are the three main action items:

  • Document your cybersecurity strategy. Share it with all of your employees and let them know where they can find it. There are links below that can help.
  • Eliminate the silos in your company. Departments should be talking. Even if it’s one hour every couple weeks to briefly discuss issues, it’s a start.
  • Talk to your employees about security policies and best practices. Make them feel included.

To repeat what I asked above, I’d love to hear your thoughts:

  • Are people becoming desensitized to hacks like this?
  • Do we “expect” them to happen and just wait for our bank to issue new cards?
  • Do you think it will happen to someone else before it happens to you?

Visit our Cybersecurity Champion hub to learn more protecting your business.

Related Blog Posts
A Look Back at 2014 Security Breaches
Risk Manager and Cyber Tips for Business
New Year, Simple Advice: Lower Cyber Risk and Reduce Liability

Related White Papers
Cybercrime 101
10 Things Security Experts Wish End Users Knew

In this article

Join the Conversation