When seat belts came onto the world
scene, they cost $200 and nobody was interested. Insurance was first
ridiculed and then considered a luxury for a long time. You can’t
really live without these today, can you?
Both seat belts and insurance have
become personal involvement issues in our lives today. In fact, ABS and
airbags aside we’re even looking forward to the car that brakes on its
own when it “thinks” there’s going to be an accident. And yet, the task
of securing your biggest investment – your hard-earned business, your
“dream home” – becomes a delegated one. The politically incorrect
elephant in the room is asking – “where is the personal involvement when
your biggest investment could be wiped out in one swing”? A single
hacker attack or information security breach at your business and your
list of liabilities could be pretty grim.
Who Will Come After You?
It depends…companies like TJX Companies,
Inc. or BJ’s Wholesale Club, Inc. faced enforcement action from the
Federal Trade Commission (FTC). The FTC takes enforcement action
against businesses where it believes that the business is, to some
extent, responsible for not protecting itself well enough. Under what
pretext you ask? – For unfair or deceptive trade practices. If yours is
a bank or financial institution, the Office of the Comptroller of the
Currency (OCC) is your best friend (not!). The insurance industry needs
to follow the HIPAA and HITECH regulations. The education sector needs
to follow the FERPA regulations. If you process payment cards you have
mandatory requirements to follow laid out by the PCI DSS. The fact is,
no matter what your industry, your business is currently regulated.
Even if you think you’re not regulated, you are – there are even State
laws that require (read compulsory) all businesses to disclose and
notify the government and the customers about a potential security
breach.
In short, as an Entrepreneur, President,
CEO, or a Member of the Board of Directors of a company you are liable
for security breaches that lead to any disclosure of customer
information. And this liability will come in the form of an enforcement
action accompanied by a monetary penalty that is proportionate to how
bad the breach was. This will then be followed by civil lawsuits
including seething ex-customers who will then tell you how bad the
breach really was.
How Much Are We Talking Here?
So, you’re thinking – “Ok, what’s the ballpark”?
- ChoicePoint ended up paying $15 million. They had a breach
involving 163,000 records and going by the $2,500 penalty per violation,
as per the Fair Credit Reporting Act (FCRA; amended to what is now
known as the FACT Act), the initial penalty could have been as high as
$407.5 million.
- Let’s take another industry – VISA fined Fifth Third Bank $880,000 followed by a continued $100,000 per month thereafter.
- If a charity wasn’t spared, what hope is there? – Norwood, a Jewish
social care charity was fined £70,000 for a data protection breach.
Did You Notice…?
…that we haven’t even talked about the losses faced by companies
themselves yet – we’ve only discussed fines, penalties, regulatory
actions, and public humiliations. So, let’s take a look –
- Epsilon, a marketing services company, faced a “worst case
scenario” loss of as much as $4 billion. Note that this is the “worst
case scenario” because nobody could really put a finger on the actual
loss amount. If you thought having a breach was bad enough, imagine
probing in a board meeting about how much beating your business took and
hearing – “We can’t say for sure”. A chilling fact to add here – this
breach involved hackers stealing sensitive information of only 3% of
Epsilon’s customers. Imagine that – just 3% of sensitive customer
information could bring about this fate.
- Fidelity National Information Services faced a class action lawsuit
which, after settlement, ended up for them at up to $20,000 per
affected person for unreimbursed identity theft losses. Considering
that 2.3 million consumer records were stolen, you can do the
“potential” math.
- Hackers, in October 2010, stole over $12 million from five banks in
the U.S. and Britain. The Zeus malware used by the hackers for this
theft was available, at the time, in the black markets for around
$1,200. How’s the business model?
Beyond the obviously devastating monetary consequences, you will
also deal with the fact that you can no longer look your clients and
customers in the eye; you’ve lost their most valuable possessions that
you once had with you – their respect and their trust. How does one
really build to last without respect and trust?
How Easily Could This Happen?
Let’s answer that in reverse. The Zeus malware we just discussed –
what if you were told that an average school kid could (and did) run
Zeus, that the malware can access your company’s bank information and
dry out your money while leading you to believe that your money is still
in your account until it’s too late, that Zeus can fool your anti-virus
software into believing that it’s an innocent little text file, that
Zeus has also hit smartphones, and that even after losing your money you
could still be liable if Zeus is able to use your computer to
proliferate into other computers (which is a piece of cake for Zeus
because that’s what it was designed to do in the first place)? And this
is just Zeus – one cyber-threat among the millions that are out there
today. Let’s discuss only a few more –
Corporate Espionage: Companies
in China are allegedly emerging as running shops that spy on U.S.
companies at the request of their client’s competitors. They spy on
companies and governments around the world. But don’t let these recent
emergences fool you into believing that this is a new concept.
Industrial espionage cost global businesses more than $200 billion a
year…in 2006! So, it’s not just China that’s spying on the U.S., global
businesses are spying on their competitors all the time. The Chinese
probably only offered to do it cheaper. Think about this – when
everything from financials to price quotations to billing rates to
research secrets are all electronic today, it means they’re all
connected – either with a wire or wirelessly. Once it’s connected, it
can be taken. And if it can be taken, why would your competitors not
want to take it?
Cyber-Mafia: Cyber-crime was a $105 billion business way
back in 2004! This operates just like the traditional mafia – there is a
boss who never gets his/her hands dirty and thus has, technically,
never committed a cyber-crime. The next in the org-chart is the
underboss who works in conjunction with the consigliere (the boss’
right-hand) and essentially sells attack tools such as Trojans,
Keyloggers, Formloggers, and such malware (Zeus graduated here as well
in the class of 2007) in the cyber black market. Under them come
several caporegimes, each commanding his/her own network of soldiers who
ultimately carry out actual attacks. This “network of soldiers” is
like an interdependent talent pool – “Oh, we’re short on a few employees
for this really important project; can we borrow yours”? The most
unsettling part about the Cyber-Mafia is that the boss could be located
in Russia, the underboss in Indonesia, the caporegimes can do the
legwork in Venezuela, China, and Nigeria, and the soldiers could
essentially dot the entire globe. How exactly do you “go after” them?
Cyber Extortion: So your business has been doing
prolifically well in the past few years and some cyber-crime groups or
individuals want to “wet their beaks” in your success. Let’s take a
look at a real-life extortion e-mail from these folks –
Hello. If you want to continue having your site operational, you
must pay us 10,000 rubles monthly. Attention! Starting as of DATE your
site will be a subject to a DDoS attack. Your site will remain
unavailable until you pay us. The first attack will involve 2,000 bots.
If you contact the companies involved in the protection of DDoS-attacks
and they begin to block our bots, we will increase the number of bots to
50,000, and the protection of 50,000 bots is very, very expensive.
You will also receive several bonuses.
- 30% discount if you request DDoS attack on your
competitors/enemies. Fair market value ddos attacks a simple site is
about $ 100 per night, for you it will cost only 70 $ per day.
- If we turn to your competitors / enemies, to make an attack on your site, then we deny them.
How about that – extortion with a discount offer and an
anti-competitor coupon code! And they’ve done some pretty logical
arithmetic as well.
It’s Your Dream Home…Get Involved!
When you work very hard to achieve something, a sense of entitlement
sometimes colors the possibility that the achieved can actually be lost
again. You purchased your second home with money but your dream home
with your perseverance, even your health at times, and definitely
several years of your life. The math has to add up…get involved…it’s
your dream home.
"It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently."
-Warren Buffett-