In terms of dollars and cents on a risk analysis spreadsheet, it is easier to put a value on a particular asset than the potential recurring value of a client, customer or even partner. Beyond lawsuits and capital and operational expenses to repair a mea culpa, weak cryptography, hack defenses or shoring an previously-undiagnosed vulnerability gap, the damage done to a brand because the user no longer trusts doing business with that company is staggering.
The report uses a failure in cryptographic keys and certificates as the breach point, but the bigger issue is that a breach of any nature (especially one that would have been preventable with the application of additional resources) can cause a hemorrhaging of customers. And it’s not just active customers, but future lost customers. I remember back in my college marketing class where it is shown that a bad experience spreads like wildfire. Twice as many people tell others about a negative experience than a positive. And the accepted rule is that the negatively affected person will tell at least 10 others. With social media, that number escalates into the hundreds. Think of how many people abandoned PayPal in light of their password breach. I know many people who think twice about using their service these days.
Even Gartner agrees. In an older study (2008) found money invested (or lack thereof) by organizations in security has a significant impact on customer retention. “The study found that compared with the average consumer, victims of financial fraud were twice as likely to change their shopping, payment, and e-commerce behavior. Among all consumers, 39% changed their behavior because of security concerns,” the study states. “Among fraud victims, 71% of them changed their behavior because of security concerns.”
For many companies, they bank on their reputation as a safe and secure steward of data. The maddening issue is that too many don’t go far enough to secure that reputation. The Financial Times concurs, “Why is it so easy for executives to think about and plan for financial risks, but still so hard for them to understand that intangible risks to an organization’s reputation are far more likely to destroy shareholder value?”
The periodical was citing another study Privacy Trust Study for Retail Banking which surveyed customers in which 34% would transfer their money after a single breach. So how much is 34% of your business worth? And in the risk versus reward conversion, where does that number fall in terms of the costs of various security initiatives?
But the answer isn’t easy. If it were as easy as buying and installing a malware block on a server, we wouldn’t be hearing about the woes of Yahoo, Global Payments, Utah Department of Health, PayPal, and hundreds of other (just in 2012). As security and information professionals, we all recognize that security is complex. It has many moving parts, many variables. Because of the need to balance productivity and protection, there are no absolutes. If Bank of America is exposed to risk, so is All-American Dry Cleaners.
It requires planning, prioritization, policy, prudence, predictability, process and programming (sounds like a white paper for the future!) What it doesn’t require is a huge chunk of budget. As more and more companies look at the cloud for various resources, the emergence of maturing cloud-based security measures allow a layered and unified deployment at a fraction of managing the initiative on premises. The key concept is that the cloud gives you more bang for the buck. What this does is change the conversation from one heavily dependent on capital expenditures and intensive man hours to one incorporating a manageable cost and resource effective operational expense; And, more importantly, changes the dynamic of the initiative to performance rather than limited scope. Because of the advances made by the reimagining of technology (including Open Stack), it’s now possible for smaller companies (95% of the market) to enjoy the same level of security protection as large enterprises at truly affordable costs.
Now cloud security is not a panacea (although it is a very good start). Whereas security as a service provides enterprise capabilities to manage an initiative, it still requires process. A battleship may have state-of-the-art defenses, but without a compass, it simply floats in the water. In terms of this week’s premise, you must understand how your customer wishes to do business with you (context of how users actually access resources) and then build the layers of protection around that concept in order to grow and maintain their trust. For example, if you offer bill paying option, what kind of authentication do you offer to prove the user is who they say they are?. These days user name and password may not be enough (consider multi-factor authentication) unless they are specifically and securely provisioned. Using the same example, where are you keeping their personal information and financial account activity details? How do you know if it is properly secured? For that you have to look at events to see whether or not it has been exposed to suspicious activity. And to that, you must anticipate not only events but the intent and impact of user actions.
But I am not telling you things you have not already considered. Often times it comes down to priorities. There are only so many hours in the day and you can only stretch you personnel and financial resources so far. You need to pick and choose where you initiatives can be the most effective; all the more reason to take a deeper dive in the potential and promise of cloud computing security. Just investigate the capabilities of security in the cloud solutions and see how they compare…or better yet, augment your existing initiative.
Many articles, webinars, blogs (my own included), white papers etc… position the concept of security as an often inward examination and application of asset/data protection. This is still very true, but my very wise Director of Marketing often tells me…without our customers, we have no reason to exist. Everything we do must be to their benefit. And it is in that spirit, that we work to maintain their trust: every time they log on, every time they share data, every time they open an application. I recognize that security is a two-way street (we don’t want them exposing us to issues either), so it is inherent that every company, whether to satisfy compliance or improve operations, ensure the security of every person that has access to their network by integrating identity management solutions.
Or do so at the risk in losing a customer—or 34% of them.