Authored by Judy Selby and George Viegas*
Our traditional approach to cyber risk and security has been focused on privacy and financial data. The data breach or loss concerns that typically rank high on our risk ratings are private and confidential data like names and social security numbers with other identifying non-public information and financial data like credit cards numbers and transactions. We assess potential dollar loss from this type of incident and, to mitigate risks, some obtain cyber insurance coverage. Finally, in order to assuage the concerns of impacted customers of a financial data breach, the breached company may offer credit monitoring for a year.
Some recent breach incidents, however, do not fall within that paradigm and can turn traditional risk management prioritization on its head. The impact from breach of a new class of data that we call BPI (Business practices/Personal data/Intellectual property) can create different kinds of problems for the breached company as well for its employees and even business associates and partners.
Here are some of the key new risks created by a breach of BPI data:
Businesses now must realize that sensitive Business Practices data can easily be exposed. Disclosure of Business Practices information is potentially far more damaging than the breach of personally identifiable information (PII) or personal health information (PHI), since the data provides information on the inner workings and the core of the company. This is data about the heart and soul of the company – how the company works and makes decisions and how the company operates in different geographies.
The biggest risks now are reputational harm and loss of competitive advantage. Reputational risk flows directly from disclosure of documents and communications that could be perceived as evidence of improper or questionable business practices. Companies should consider, for example, if breach of their Business Practices data could lead to questions about their hiring and employment practices, risk management strategies, and regulatory compliance, which might also result in regulatory or legal liability in the U.S. and abroad.
Breach of Business Practices data also can place the company at a competitive disadvantage. The data could be publicly disclosed or “leaked” to government regulators to delay or sabotage large corporate projects or efforts. And because Business Practices data may contain confidential strategic information, like planned merger and acquisition activity, its disclosure could put important initiatives or the company’s overall business plan at risk.
Communications between employees and third parties may contain information about personal matters, relationships and biases that were never intended to be publicly disclosed. Some of this may be PII and PHI, but it also may reveal sensitive and embarrassing information. This risk is compounded by the fact that many employees use email as an eternal filing system.
Corporate data, such as salary information and health data, could be stolen and publicly exposed simply to cause embarrassment to the breached company. Such disclosure could also lead to claims against the company by the affected employees, alleging that the company failed to adequately safeguard their protected information, or alleging discrimination in compensation. And if the disclosure of Personal Data leads to negative consequences affecting individual employees, will those employees attempt to hold the company responsible?
A company’s Intellectual Property (IP) may be its most valuable asset. It could be the design of an aircraft, a pharmaceutical formulation, market research, a developing technology, or unreleased books or music. Theft of IP for the cyber criminal’s own use, for sale to competitors or for malicious public disclosure can result in significant loss of revenue and competitive advantage.
Hacking for IP is not new and certain nation states are constantly attempting to make technology leaps cheaply by hacking into known technology leaders and stealing the latest technology without incurring the development and research costs. But when the hacker’s main goal is to embarrass or damage the company by releasing the company’s IP publicly, then the IP is now available for the general use by all competitors in the industry, nation states and the general public.
Protecting BPI Data
In today’s environment, all organizations should ask themselves if they’re doing enough to protect their BPI data. Some of the key steps to consider are:
Extend risk and liability profiles to cover loss of BPI data.
In addition to the more traditional type of hacker to guard against — nation state, hacktivist, commercial hacker, and insider — add the takedown actor, whose sole aim is to cause serious harm to the company. This new actor may be a combination of the previously known actors.
Update existing data classification systems to include sensitive Business Practices data, such as business rules and sales data maintained in sales and contracts systems and human resources (HR) data maintained in HR systems.
Identify and protect IP data. Recent hacks have revealed that companies do not always segregate and lockdown IP data on networked systems. If IP is exchanged on secure knowledge platforms internally, its risk rating goes down. It is likely, however, some IP data is always going to be found in email.
Focus risk analysis on processes involving BPI data at a department level, beginning with HR, followed by finance and accounting and then individual functional departments.
Extend the risk analysis of systems to cover the organization’s email system.
Assess reputational risk from loss of BPI data. Involve marketing and communications departments to consider reputational impact and remediation costs if BPI data is stolen and disclosed.
Take special care to lock down email infrastructure in addition to external facing financial systems.
Work with HR, finance and accounting and functional teams to review password management and administration of third party hosted applications.
Make sure internal training requires that sensitive BPI data are not relayed in or stored email.
Ensure that passwords are protected and difficult to locate by network intruders.
Update cross functional Incident Response Plans to include response for breach of BPI data.
Include scenarios involving the theft of BPI data in tabletop exercises and breach rehearsals.
Implement email management and legally defensible record retention and destruction policies. The risk of breach and disclosure is minimized if data with no legitimate business purpose is regularly removed from corporate networks.
Prepare legal course of action if stolen BPI is publicly disclosed, by news networks or others.
*George Viegas is a long-time information security and risk professional and passionate about the practitioner’s role of the CISO in the business environment.