Security Blanket

Each and every company has a number of valuable assets. These range from tangible assets such as cash, product inventory, buildings and property to intangible assets such as corporate intellectual property like patents or copyrights. Yet one of the most valuable assets — and oftentimes, most dangerous — frequently goes under-protected.

In an increasingly digital society, data has become a currency of its own for companies. However, with publicized data breaches and leaks now becoming commonplace, one could argue large databases of saved information that are not necessary to keep are rapidly becoming the most toxic asset that a company holds.

Andre Boysen Chief Identity Officer, SecureKey Technologies

The term “big data” has been a buzzword for years, as companies worldwide are racing to collect and analyze excess amounts of information to make more informed business decisions.
With organizations increasingly conducting business online and storing consumers’ information for long periods, perhaps permanently, it is clear that data will continue to be a toxic asset.

With organizations increasingly conducting business online and storing consumers’ information for long periods, perhaps permanently, it is clear that data will continue to be a toxic asset. As long as data continues to be stored, both companies and their customers remain vulnerable and at risk of a major breach.

Its importance can be compared to oil — when the flow of data goes as intended, it is hidden from sight and fluid. But when the flow is interrupted, resulting in a breach, the consequences are potentially catastrophic. Breaches can expose passwords, SIN numbers and birth dates. Leaks can prove expensive, their stain persistent and if made public, could have long-lasting effects.

So, if the risks associated with digital data are so high, why do companies and organizations hold on to toxic data? Why are businesses not doing more to protect against the risks associated with doing business in a digital age?

FINANCIAL IMPLICATIONS

The 2017 IBM X-Force Threat Intelligence Index, released this past March, noted that 4 billion data records were leaked last year. With an estimated average global cost of a data breach per lost or stolen record being US$158, IBM reported last year, that translates to more than US$600 billion worth of leaked data in 2016 alone — a figure that is likely to continue increasing each year.

There has been no shortage of big-name companies that have seen just how toxic data that serves little purpose can be when the target of a malicious hack. No doubt, such events have an impact on the business, including from a reputation and trust perspective. But for those customers whose personal information is leaked — many of whom may not have been active for some time — threats like fraud and stolen identity become very real concerns.

The 2017 CPA (Chartered Professional Accountants) Canada Fraud Survey, conducted January 31 to February 8 by Harris Poll for CPA, found that 3% of the 1,001 respondents report being concerned that businesses are

vulnerable to cyber attacks involving personal information. As well, less than half of polled companies provide consumers with privacy features that allow them to opt in or opt out of data collection (47%) or enable them to have absolute full control over information (46%).

However, there finally appears to be movement towards a more secure digital space. With major organizations such as Yahoo!, Ashley Madison, Bell, LinkedIn and countless others, suffering large and highly publicized breaches, organizations are beginning more and more to explore various avenues to protect themselves.

The first is obvious: strengthening internal technology to protect against hackers. The second — an emerging trend that is becoming increasingly common — is companies’ adoption of cyber insurance.

In 2015, PwC estimated that the global cyber insurance market could grow to US$5 billion in premiums by 2018 and at least US$7.5 billion by 2020.

In addition, a 2016 report published by Allied Market Research notes that the global cyber insurance market was expected to generate US$14 billion in gross premiums by 2022, having a compound annual growth rate of almost 28% from 2016 to 2022.

CYBER CRIME “SECURITY BLANKET”

A company can take steps to guard against hacking, but once a data breach has occurred, there is no predicting what damage — whether financial or reputational — the company may, ultimately, experience.

Cyber insurance provides organizations with various types of coverage related to cyber attacks, ranging from protection for information and technology-related risks to reimbursement for restoring data and negotiating and paying a ransom.

Statistics suggest small to large businesses alike are vulnerable, with security firm Symantec reporting two years ago that small businesses are targeted by attackers 43% of the time, while large businesses are targeted 35% of the time. This growing insurance area is becoming a must-have, particularly for businesses with no in-house security or IT professionals.

In Canada, while it is too soon to tell how often cyber insurance policies are being used and the associated costs, what is known is that addressing cyber security is becoming more of a priority.

Citing information from A.M. Best, the Insurance Institute of Canada noted two years ago in Cyber Risks: Implications for the Insurance Industry in Canada that the majority of companies in the country, including most insurers, do not purchase cyber insurance. That said, the situation is expected to change over the next five to 10 years.

More recently, U.S.-based analytics firm FICO reported that 36% of polled Canadian security executives said their firms have no cyber security insurance.

Conditions could be of concern given that, later this year, the parts of the new Digital Privacy Act that will require organizations to disclose data breaches are expected to take effect.

Under the current federal legislation, there is no obligation to report the data breaches that are taking place. With the new measures being introduced, companies will need to disclose any “real risk of significant harm” to users.

Organizations have two options in advance of the new requirements: continue to store information that has the potential to become toxic if breached and prepare to disclose to consumers when their data is stolen, or take proactive approaches to protect against data breaches by considering the vulnerable data they have and determine how best to prevent it from becoming toxic.

DATA CAN BECOME A LIABILITY

Large databases of saved information have become dangerous liabilities for both businesses and consumers. Yet there is a simple solution to avoid data becoming toxic if a leak or breach occurs.

In addition to strengthening internal technology and investing in cyber insurance, companies need to evaluate the data they store and for how long, and purge any unnecessary data. One strategy to do this is to create tiers of data importance to indicate what is vital to collect and store, what is important to collect and store and what is of little importance — purging the least important.

Companies are also well-advised to conduct a risk assessment of the information they now hold to determine the risk exposure should the data be leaked or breached, either in part or in full. Weigh the pros and cons of continuing to store data deemed high risk — by doing so, is there the potential to jeopardize the organization’s reputation, financial stability and/or relationships with customers? The value of holding the data will never outweigh the risk of losing it.

New technologies and services are emerging that could help improve attempts to mitigate risk and exposure. Today, business confidence is measured by the volume of corroborating data meant to support that people registering for a service are, in fact, who they say they are. In the absence of in-person transactions, the default practice to increase confidence seems to be to submit more data. However, this comes with added risks.

If the claims presented could be verified as true from the source, and the person presenting the data is the person to whom the data belongs, business confidence could be assured, all while using less data. This would result in a better experience for customers, lower customer/data acquisition costs and lower breach risks.

Digital information is easy to copy, and can be easy to exploit when falling into the wrong hands. It is time organizations begin to implement measures and controls to combat that possibility.

-Andre Boysen Chief Identity Officer, SecureKey Technologies