The Equifax hack announced on September 7, 2017, is very scary, and a reminder to lock up the company jewels. Most companies, however, will never face a catastrophic event involving an outside, malicious attack on the very core of their business.
Instead, consider the following scenarios:
- An employee erroneously distributes the social security numbers and other personal information of every employee in the company;
- A customer’s email is hacked, resulting in your company receiving a fraudulent - but authentic-looking - set of instructions to wire payment to a specific bank account. The money disappears as soon as it hits the fake account; and
- Someone (unclear whether internal or external) gets into your company HR system and cracks several accounts, changing employee direct deposit information and locking employees out of their email.
I've gotten calls about each of these three situations just this week.
What would you do if this were your company? None of these is a catastrophic event, but every one of them involves disruption, investigation, acrimony, and significant amounts of time and money to resolve.
For a company that lacks the resources of Equifax, a seemingly small event like this could become catastrophic: your insurance might not pay; your customers might walk; your bank account might be compromised. On a smaller but still disruptive scale, you could become mired in reactive work (investigation, legal follow-up, relationship repair with customers and employees, HR actions) for weeks or even months.
Now think about a “minor” event like this, but where the information compromised is your company's core asset. That really would be catastrophic. And the plain truth is that these “minor” events are often preventable, or at least there is advance planning that could mitigate their impact. This is in plain contrast to the Equifax situation, where advance planning may or may not be enough to protect the plum assets of a high-value target from sophisticated actors.
Cyber and information security planning are not a purely defensive play. Investing in and planning for the security of your corporate assets – whether the company’s “secret sauce” or not – is a key offensive move for any organization.
If you're a growing company, investing in the integrity of your assets helps establish your value to potential buyers and investors.
If you're already at scale, planning and investment helps maintain it by allowing you to distribute and spend your profits for the benefit of your shareholders and your operations, rather than on reactive clean-up.
The legal exposure issues of a breach are real, but avoiding legal risk is not the primary result of planning done right.