By Terry Cutler
When that home phone rings at a time of morning when sleep has moved into deep R.E.M., and the text messages start appearing it could only mean one thing to a CEO; there is a problem with the company security net. This could cost millions.
From best-case scenario to worse, you go over it in your head. Best Case? The security team caught a small breach. It isn’t enough to be overly alarmed, but it does warrant a phone call. Worse? Your monitoring system has spotted what security is calling “highly” suspicious activity over the company network. They are addressing the problem.
When the phone is answered you are told it is the ladder and the situation is expected to get worse.
This could mean even bigger money problems. Nasdaq, Sony, Citibank, whos hacks cost millions. Citibank’s hack attack (http://moneywatch.bnet.com/saving-money/blog/devil-details/citi-hack-attack-6-things-you-must-do-now/4769/) in June of 2011 exposed personal information about some 200,000 customers. Since 2005, some 533 million personal records have been exposed, according to the Privacy Clearing House (https://www.privacyrights.org/). Sony’s 2011 hack of its PlayStation now reports that up to 70 million people had their personal data in jeopardy to hackers after a breach in 2011. Sony’s cleanup was estimated at 2 billion dollars.
In the meantime, the overnight customer service representative is reporting more than the usual complaints of unauthorized debits to their credit cards and banks, and your customer service department is overloaded with irate customers.
You’re next move? Admit it: you’ve been hacked.
Three credit card companies are on hold. Enough, you say. You’ve known all along, and on your way to work, the longest drive of your life. The year 2011 has been called the year of the hack, or at least more companies are admitting their security had been breached. Time to minimize the damage. On the drive to the office, you order company representatives to post a notification letter on the website, explaining the situation and assuring customers that the company is working on the problem. Offer credit-rebuilding services and flag unauthorized use of credit cards, and offer free stuff.
As CEO, you are aware of the value of reassuring customers and keeping them as valued customers. It’s the company’s bread and butter. A company’s reputation if founded on how customers are treated, and including them in the problem through notifications will help maintain the established reputation. Your head security consultant meets you at the door. He informs you that the hack is not as bad as first thought. In fact, only a few files were lifted, but the network was breached, and the consultant reminds you that security is not a reactive game, but one with a proactive approach.
What he is saying is budget more money for security – it’s better that way. Or pay the price of a large-scale hack!
The decision is clear, or is it?
Next week: why companies don’t budget for an eventual hack
follow me on twitter @terrypcutler
I’m a government cleared cybersecurity expert (a Certified Ethical Hacker), and the Vice-President of Cyber at SIRCO, an investigations and protections firm in Montréal, Canada.
I’m also a frequent contributor to National & Global media reportage about cyber-crime, spying, security failures, internet scams, and the real social network dangers that families and individuals face every day.