Sages hoping to make their name by adding a new inevitability to the list currently headed by death and taxes could do worse than spend a week or two exploring the information security industry. The time would be well spent because even the bitterest of foes and fiercest competitors in the industry agree that hackers have morphed from clever kids showing off their skills into deadly serious cyber criminals intent on fleecing anyone and everyone they can find online.
The industry also agrees that every business will eventually catch the attention of online criminals, even if only through the many automated attacks prowling the internet.
The need to defend against their exploits has long been obvious to chief financial officers, who are wary of incidents such as bank accounts being emptied by hackers. Interaction with IT specialists is, therefore, a business staple.
Recently, a new dimension to the need for information security has come to light: defending a reputation and the potential cost of a damaged reputation.
To understand how reputation came into the equation, consider the case of The TJX Companies, a United States retailer. In early 2007, a successful hacking attack meant the details of more than 90 million credit cards belonging to TJX customers fell into the hands of criminals, who went on a spree.
The company failed to immediately inform customers or the financial institutions concerned, making the flood of unauthorised transactions on the credit cards of thousands an unpleasant surprise. Banks were unhappy to have been saddled with thousands of fraudulent transactions for which they were suddenly liable, and grumbled long and loud as TJX unearthed the extent of the hack and totalled the number of stolen card numbers.
The company has since weathered a public relations storm, a class action from aggrieved customers (many of whom confessed to US newspapers that they did not intend to shop with TJX again) and has brokered a $US40 million settlement with the banks that are liable for many of the transactions carried out by the credit card thieves.
IT COULDN'T HAPPEN HERE
TJX's share price has remained robust in spite of the incident. Yet the company's reputation has been severely dented, if only because it is often quoted as a case study for just how bad things can get when information security fails.
One aspect of the TJX case couldn't happen here, namely to tell affected customers that their credit cards had been hacked. That's because Australia does not have laws that force business to disclose privacy breaches.
But such laws were first promulgated in California in 2002 and have since spread to 40 US states. Canada, Britain and New Zealand are considering similar laws.
Legislation making it compulsory to inform all parties is also under consideration in Australia, where Democrats Senator Natasha Stott-Despoja has tabled amendments to the Privacy Act to force disclosure.
"There is substantial evidence that privacy breaches are occurring routinely," says the Democrats' policy statement on the issue. "But with no legal obligation for such breaches to be disclosed, the problem is unrecognised and people are left in the dark about whether, and to whom, their sensitive personal information may have been disclosed."
The proposed amendment would, the policy note adds, "place the onus on government and businesses to notify an individual when there has been a confirmed or reasonably suspected breach of data security involving that person's sensitive information".
The Democrats have allies in the form of the Australian Law Reform Commission and the Office of the Privacy Commissioner.
The latter has said, in a submission to the ALRC, that "the Office generally supports consideration of the addition of provisions to the Privacy Act to require agencies and organisations to advise affected individuals of a breach to their personal information in certain circumstances".
The ALRC's position on the matter, articulated in its September 2007 Review of Australian Privacy Law, is that "agencies and organisations should be required to report to the Office of the Privacy Commissioner (OPC) and the individual concerned any data breach that results in a real risk of serious harm to the individual. This provision would be of greater utility than a general requirement to log all uses and disclosures of personal information because it focuses attention only on where some error has occurred in the handling of personal information".
The commissioner in charge of the ALRC's privacy inquiry, Les McCrimmon, says the organisation's support for the laws in the report stem from the fact that "advances in IT have resulted in vast amounts of personal information being kept electronically and [have increased] the potential for that to be accessed by unauthorised individuals".
Yet the ALRC's "no serious harm" test is a lighter test than the Democrats' proposal, which would require notification of any breach. McCrimmon says its proposed test was devised after input from business that compliance costs were an issue.
The electoral plight of the Democrats, who will lose their representation in the Senate on July 1, means Stott-Despoja's amendment is unlikely to succeed.
But the idea will not die with the Democrats. In May, the ALRC will release its final report on privacy issues to the Attorney-General. McCrimmon says he cannot comment about what the recommendation will be until it is tabled, but Andrew Walls, a research director at analyst firm Gartner, believes it is only a matter of time before the provisions reach Australia.
"Breach disclosure legislation is inevitable," Walls says, adding that the impact on CFOs will be significant.
"There will be added costs to changing operations to detect breaches," he says. "There will need to be systems to monitor and capture incidents," which will require more cash.
Finance chiefs will have to understand the expenditure needed to establish the new controls, but Walls says the more profound effect of privacy breach disclosure laws will be to make CFOs contemplate the impact when their businesses report a breach.
"What is the impact on the market image?" Walls asks. "Customers of a bank, for example, might start to consider how good their bank is at protecting their private information as part of a purchasing decision.
"For traded companies, what would it do to the share price?
"The whole C-suite will need to understand the impact and there will need to be a very good PR plan in place."
CHANGE OF THINKING
For Bjørn Arne Berge, a partner at Accenture, who leads the company's security technologies group for South-East Asia, Korea and Australia, the impact on CFOs is even more profound.
"Legislation that mandates reporting will, I think, immediately mean much higher visibility for security people," he says.
"When I talk to security people today, they are trusted to provide security but treated as just a line of expenditure, and any IT department is always told they want more value or more IT for less money."
That attitude, he says, will need to change once privacy breach disclosure laws arrive. CFOs will need to pay more attention to IT security staff and issues, so they can reassure the business that they have done all they can to minimise the likelihood of a disclosure incident.
Finance chiefs who today look to security as a line item to be reduced will need to think differently. "CFOs will need to know how to ask the right questions about security products, technologies and risk assessment methodologies," Berge says. "This will be part of their overall risk, so CFOs will have to deal with it."
They will also need to make sure they have visibility of security teams. "One security officer I speak to has seven reporting levels to reach C-level," he says. "This means security does not have an executive sponsor.
"If there is requirement for disclosure, you have to report it quickly and that will not happen with seven layers."
That means CFOs will also need to spend more time in contact with the information security industry. Whether this will mean they emerge as sages remains to be seen.
* Hackers are more likely to be working for organised crime, with specific targets in minds, rather than bored and lonely teenagers.
* Reputation risk should be moving up the agenda, following several serious security breaches by professional hackers in the US and elsewhere.
* Amendments to the Privacy Act that will force disclosure of IT security breaches are before the Australian federal parliament.
NO SECOND CHANCES
One CFO who appreciates the kind of spotlight that comes from a data breach is Stephen O'Neill of Moose Enterprise, a toymaker that last year was forced to recall a product and had to deal with the resulting glare of publicity.
With new privacy laws still on the drawing board, O'Neill says that in the next six months, the company will focus on industrial relations and other more immediate matters. He has already, however, taken precautions against a TJX-style incident being caused by a laptop being left in the back of a taxi.
"Our people should be using files on the server," he says, with all data stored centrally rather than in a form whereby it could be lost in public. He expects the advent of disclosure laws would see a consultative approach between the company's various business units to understand the issues and develop controls to ensure that breaches become less likely.
"We need to be informed about the issues and then we can assign resources. Of course, we will minimise any potential risk."
O'Neill also knows, however, that incidents like a breach can be very harrowing.
"We will relaunch our recalled product under a new name," he says. "We have had to strengthen all our controls because there is no second chance."
©Fairfax Business Media
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.