A recent study by PricewaterhouseCoopers (PWC) has found that almost half of the fastest-growing companies in the U.S. have suffered a recent breach of their information security, despite higher precautions taken since 9/11. And one Canadian security expert says he’s not surprised.
PWC interviewed the CEOs of 402 privately held companies about what kinds of precautions they have taken to protect against threats to their company’s information security, the vulnerabilities that got the best of them; the effects of breaches; and their corporate security priorities.
The study found that 46 per cent of companies had been victimized by security breaches; of those, 83 per cent said they experienced monetary loss and nearly one-quarter faced network downtime.
The companies polled have been identified in media reports as the fastest-growing U.S. businesses over the last five years, ranging in size from about US$5 million to $150 million in revenue.
The fact these firms are growing quickly may be what is causing the problem in the first place, according to Mark Lobel, senior manager, security and privacy services for PWC in New York.
“One of reasons they’re fast-growing companies is that they’re willing to accept more risk to move the business forward,” Lobel explained. “They spend more time focusing on the revenue generation aspects of the business versus implementing the (security) controls their more mature brethren already have in place.”
Although two-thirds of respondents reported that information security is important to their company’s near-term profitable growth, the study found that the security budgets for 80 per cent of fast-growing companies “have not and are not planned to materially increase,” Lobel said. Those results contrast starkly with an earlier global PWC survey that indicated most other companies had plans to increase their security spending by a significant amount, he said.
“What do more mature companies understand that these fast-growing companies don’t understand or are refusing to accept?” Lobel said. “I’m not sure if it’s ignorance, arrogance or inexperience.”
Richard Reiner, CEO of FSC Internet Corp. in Toronto, said PWC’s findings mirrors what he typically sees within Canadian firms. FSC works with larger companies in Canada’s major industries, including banking and insurance firms, telecommunications, some parts of public sector, public utilities and health care. In most cases, these sectors also have the greatest security risk.
Reiner said he knows of only half-dozen Canadian firms that have a truly effective and comprehensive security management program. The rest have programs in place that are mature in some areas and lacking in others; or their security capability is downright inadequate right across the board.
The reason? With the exception of banking and some parts of the telco industry, which “have [security] experience that dates back quite a while, and have always considered themselves to have these risks,” for many companies there hasn’t been as much of a focus on its importance until recent years. “For them, it’s a new set of challenges,” Reiner said.
Lobel agreed, adding that fast-growing, private companies don’t face the same kind of scrutiny as public firms when it comes to regulatory compliance. Some companies lack risk knowledge because the classification of high and low risks changes very quickly and it’s hard to keep up, Reiner added. “Some areas have emerged that companies are really ill-prepared around.”
For example, while most firms now understand the network and infrastructure areas of security, awareness and capabilities are much lower around things like application-level security, he said. “Web-based applications have emerged, as we think, risk area number one, and it’s an area that even in many organizations that have information security teams and dozens of people in those teams, there is little understanding and the awareness is not high.”
Reiner suggested firms get up to speed on security by mapping out a threat and risk assessment, determining what kind of information it has, where it flows and what would happen if that information was disclosed or destroyed, and then follow up with a plan that manages each risk systematically and takes care of the blind spots.
The wrong approach is for a company to just slap in a piece of technology and expect it to do the trick, Lobel said, adding that following the “people, process and technology” mantra applies in this instance. “If you install antivirus, you’d better also define who is responsible to make sure the signatures are updated.”