“But I Have Nothing to Protect”
As I reflect on 2016 and the many conversations I have had in the field, one of the themes that often comes up is the notion of businesses that believe they have nothing to protect from cybercriminals. I am talking about organizations that are not driven by the proverbial ‘stick’ of regulations such as PCI and HIPAA and believe that since they hold no Personally Identifiable Information (PII) or Protected Health Information (PHI) that they are not in possession of data, know-how or intellectual property that would be of interest to a cybercriminal.
I challenge this notion with the fact that it may not be ostensibly what information your organization is in possession of that hackers are after but that of your clients, partners, suppliers or service providers such as your accounting or law firm. At a cursory glance, law firms for example, explicitly do not have ‘anything to protect’ as they may not be in possession of social security numbers, credit card numbers and the rest of the usual suspect data points that are commonly stolen, but a clever cybercriminal interested in details of cases could benefit financially from the knowledge of merger and acquisition data, the outcome of a pending litigation against a publicly traded company or a successful antitrust case, ahead of when such details are revealed to financial markets.
Consider that it was recently discovered that Chinese nationals hacked into several prominent law firms to uncover data about mergers and acquisitions that they could leverage to make exorbitant profits in the stock market as a result of using this inside information. These are examples of the type of creative uses of your organizations’ data that we urge our clients to think about when deciding on the scale and robustness of their security program.
The truth is, every business is based on some variant of intellectual property, whether it is patentable or not. Whether it’s a ‘secret sauce’ literally or figuratively that makes your organization tick or information you do not want your competitors to have, every business has something worth protecting. Our daily goal is to get clients tuned into what that is before an actor with malicious intent does.
While we welcome the technological innovation of the coming year, each new product based on ‘convenience’ or making something ‘smarter’ whether it be in your home, car, house, cell phone, city or transportation system, these developments multiply points of entry into networks exponentially and the risks associated with them grow by the day by an even larger multiplier. We consult with many of our clients on what these expanding entry points mean for the security of their product and every business or entity they are connected with.
In 2017, I urge you to get creative with the way you think about your organization’s data and the interconnected complexity of your organizations relationships when pondering ‘What Do I Have to Protect?’ The answers may surprise you.