Harvard Business Review: 3 Key Cyber Security Questions
March 27, 2012
In this week’s Harvard Business Review Blog, McKinsey & Company IT consultants James Kaplan and Allen Weinberg comment on the increasingly complex issues revolving around data security in an ever-more connected business environment.
Despite high profile political hacking, online theft of sensitive business information is more prevalent, but often goes unreported due to the losses that companies sustain. Kaplan and Weinberg say such attacks can be “devastating,” loss of intellectual property such as “business plans, proprietary technologies or fraudulent payments.”
These attacks are on the rise, even in the face of more investment in cyber security. Why? The authors explain:
“In part, the continued migration of business value online has attracted more capable malevolent actors, including hacktivists seeking to score political points, national intelligence agencies looking for economic advantage, and cyber-criminals looking to engage in fraudulent transactions.”
Yet with the migration to cloud environments, online business transactions are “more open and connected than ever before.” Kaplan and Weinberg argue that given this reality, cyber security has to be a core business function, “interwoven throughout all your most important business processes.” The most vulnerable elements in those processes are a firm’s employees and customers, i.e. the users of the processes.
While security technology does assist, they write:
“…substantially reducing the risk of losing valuable information requires changing user behavior. You can make customers provide more rigorous authentication before they make a transaction, or have managers limit distribution of sensitive plans. Unfortunately, though, it’s all too easy to grind your business to a halt with doctrinaire security policies.”
Kaplan and Weinberg write that to “strike a better balance,” businesses should be asking three questions about cyber security:
“1. How do we strike the right balance between secure online transactions and a great online customer experience?”
The authors believe that levels of customer self-selected security will be more prevalent. While requiring a baseline for all users, clients can trade convenience for greater security given a heightened need for data protection.
“2. How do we protect intellectual property and other sensitive business information while also encouraging collaboration in product development processes?”
The authors note that companies have created tiers of access in their product development collaboration. For sensitive projects, they list two options. One is specialized information security training. The second is “digital rights management,” which ensures that only authorized individuals can view sensitive information, regardless of where it is sent.
3. How do we make sure partners protect our data while continuing to optimize our supply chain?
Supply chain protection approaches include:
Segmenting information; keeping sensitive data and applications in-house
Writing security expectations formally into contracts
Conducting security reviews of customer networks, prior to connection
Involving stakeholders in a mock cyber attack, to test a proprietary network’s resilience
Talkin Cloud channel partners, please take note. Authors James Kaplan and Allen Weinberg cap off their call for more effective cyber security by saying:
“As digital business becomes ever more pervasive, cyber risk management will become for most companies what financial risk management is for banks: a core part of all important business processes that requires senior engagement in the trade-offs involved.”
Well stated.
About the Author
You May Also Like