While a smartphone easily has become an indispensable piece of personal technology, making smart decisions about business technology investments is a huge challenge. For insight on navigating data security, digital analytics and other current technology issues, Twin Cities Business consulted with six key experts.
On the security front, we solicited advice from Jeff Olejnik, CEO of Assurity River Group in Minneapolis, and Garrett Dietrick, information technology (IT) governance, risk and compliance leader for Secure Digital Solutions, a Minneapolis firm.
Tom Belle, president and CEO of the Gage marketing firm, Plymouth, offers guidance on social media and digital analytics. Tim Letscher, director of digital strategy and analytics at Colle McVoy in Minneapolis, also tackles web-related business issues.
On a host of business technology topics, we turned to two professors with extensive experience in this area. They are Brad Rubin, associate professor of graduate programs in software, University of St. Thomas, and Ravi Bapna, professor of information and decision sciences, University of Minnesota. Bapna also is co-director of the university’s Social Media and Business Analytics Collaborative.
Garrett Dietrick works for Secure Digital Solutions, in Minneapolis, as an IT governance, risk and compliance leader.
Jeff Olejnik is CEO of Assurity River Group, in Minneapolis, which is a firm that addresses data security issues.
Tim Letscher is the director of digital strategy and analytics at Colle McVoy in Minneapolis.
Ravi Bapna is a professor of information and decision sciences at the University of Minnesota.
Brad Rubin is an associate professor of graduate programs in software at the University of St. Thomas.
Tom Belle is president and CEO of the Gage marketing firm in Plymouth, and the firm develops social media strategies.
Avoiding a Target-sized data breach
TCB: In light of the data breach at Target and other retailers, how are you seeing American retailers and other businesses fortifying their data security systems?
JEFF OLEJNIK: With all of the high-profile data breaches, it has become evident that all businesses are a target and that data breaches are inevitable. Historically, companies spent the majority of their resources on controls to prevent a breach, like firewalls and anti-virus investments, and not enough on detection and response. Understanding that prevention is not possible 100 percent of the time, companies need to invest resources on detecting and responding to data breaches to minimize the impact.
Additionally, companies are investing in routine security assessments and penetration testing. They are hiring “white hat” hackers to circumvent security controls to try to identify weaknesses before they are discovered by cybercriminals.
GARRETT DIETRICK: Target is like any business that has data valuable to someone bent on obtaining it. Whether the information is credit card, financial or health care data, it has value that can be exploited for financial gain. The value of data determines the effort cyber-thieves will take to obtain it—and also the effort businesses should make to safeguard it.
Retail breaches have been front and center recently. However, I believe most businesses are still in a mindset of risk avoidance, thinking, “It won’t happen to me.” Their current budgets are allocated for revenue generation programs, but not for shoring up security measures.
My strong recommendation is that businesses at least get an outside assessment to determine their “security maturity posture”—the strengths and weaknesses of their current security efforts. They’ll gain a clearer picture that pinpoints areas for improvement—along with an understanding of where to allocate their spending.
RUBIN: Retailers are in the business of selling goods, so any money spent on security is a drag on the bottom line. The ideal is to minimize the security expense while providing sufficient protection. Security is hard [to gauge] since it is clear when not enough is done, but it isn’t clear when too much is done, and the pressure is always on minimizing this expense.
Fortification requires a constant re-examination of risks, risk mitigation processes and technologies, the threat environment and employee skills. This re-examination should also be done with simplification in mind, because piling on more technology not only increases expenses, but the increase in complexity can actually decrease protection by creating usability and interoperability problems.
CEO creates the security culture
TCB: How can CEOs and presidents of companies educate themselves in broad terms about data security, so they know enough to ensure that their companies have good systems in place?
BRAD RUBIN: The CEO shouldn’t be the security leader, but must set priorities and the right tone. Businesses routinely, often with little debate, make the proper investments in technology, processes and people to ensure no one can abscond with $1 billion in corporate cash.
These days, data liability can meet or exceed traditional sources of exposure. CEOs should understand, quantify and clearly communicate the financial and image risks of data security breaches and ensure that security expense discussions are focused on maximizing efficiency of protection, and not just minimizing cost.
They need to demonstrate their interest and commitment by constantly asking questions and monitoring security activity. They need to reward those who prevent crises, not just the firefighters who extinguish them. They also need to set a good personal example by following the same corporate procedures required of their team.
DIETRICK: Start by recognizing a real risk to the bottom line. Currently, the cost of a data breach in the United States averages $201 dollars per record. Organizations need to understand the value of what they’re trying to protect and allocate a proportionate investment to securing it.
OLEJNIK: CEOs know what the “crown jewels” of the organization are. It could be information that gives a competitive advantage, like intellectual property, customer lists or patents. Or it could be data that would be devastating to an organization if it got into the wrong hands, like credit cards, financial information or health records.
Security culture starts at the top. CEOs should get involved to understand the company’s risks so that they can make informed decisions. CEOs should ask:
What resources have been allocated to security (budget and personnel)?
Where is our critical data or “crown jewels”?
Who has access to it?
How are we protecting it today?
Have we conducted tests to evaluate our controls?
How are we training our employees on protecting corporate assets?
Where are we at risk?
Vetting ‘cloud’ providers
TCB: With greater emphasis on “the cloud,” do you have data security concerns associated with employees using the cloud for storing some of their work documents?
OLEJNIK: Absolutely. If an employee moves corporate data off the network to a cloud provider, that data is now out of the company’s control. Companies should have clear policies on acceptable use of company data, including the use of cloud providers. They should only allow access to cloud providers that have been properly vetted and approved by the company.
DIETRICK: While cloud-based services are a convenient way to store and access company data, they’re also attractive to cyber-thieves. Make sure your cloud-based service provider puts a high priority on security. The vendor should meet or exceed your internal standards for safe data management, and be willing to go through an assessment for the potential risk they pose.
The main concern today with cloud-based services involves the use of mobile devices and how users of tablets and smartphones can access the corporate data repository via a cloud. Companies need to ask: What data are synchronized? How are they protected? Do other people have access to data? And are employees’ home personal computers protected the same as those at work? The answers should drive your security policies and investments.
RUBIN: A cloud provider that heavily invests in security expertise and technology can often offer better protection than in-house solutions, so it can make sense to shift risk to the cloud.
However, moving important data assets to a third party doesn’t eliminate the risk of compromise, and the loss of control and audit over sensitive data creates an offsetting risk. One solution is to make sure that data are encrypted before moving to the cloud, so companies can reap the economic and convenience benefits of the cloud, without having to totally trust it.
Security: People vs. Technology
TCB: In a layperson’s terms, what kinds of product innovations are surfacing that will enhance data security management?
RUBIN: I tell my students that security is more of a people problem than a technology problem. If you look at the root cause of most security breaches, you will usually find a human issue such as having a password of 123456, reusing the same password on multiple systems, opening an attachment from a stranger, misconfiguring security systems, ignoring security warnings, not updating software, or divulging sensitive information to unauthorized emails, websites, surveys or phone callers.
Adding more products that harden one route of attack often causes attackers to just find another route, and the easiest route for most attackers is through a human.
In my view, investments in education, training and technology to harden the human [element], making it easy for people to do the right thing and to detect when they don’t, are some of the best, yet often most overlooked, opportunities for enhancing security. There is not now, nor will there ever be, a security silver bullet.
Crafting a Social Media Strategy
TCB: In an environment in which social media is so prevalent, virtually every type of business is attempting to have a strong social media presence. What are the considerations that companies need to address before devising a social media strategy that works for them?
TOM BELLE: First, marketers need to define their objective or the problem they’re solving and the result they would like to achieve from the investment in social media. Then identify gaps in their current marketing that can be addressed via social media that are succinct and measurable.
From there, start small with measurable tests to identify what is working and what is not. Learn from those tests, then grow and scale with each subsequent success.
TIM LETSCHER: A business first needs to ask: “How does a particular channel help us reach a business goal and how does it fit into our overall ecosystem?” They need to stay focused on what meets their business goals. Second, and just as critical, is to align with how consumers are actually behaving within social media. What are their needs and how will your business help?
Approaching social media as an entity in and of itself can cause businesses to miss a lot of opportunities. The whole business needs to contribute to social media (paid, earned and owned content). Businesses need to consider the entire ecosystem and how it plays into social. Social media is marketing, CRM (customer relationship marketing), crisis communications, culture, recruitment and more. Consider how social media can help with thought leadership, sales or customer service and decide what channels make the most sense.
When a business listens first, they will quickly realize that what their audiences are doing through social media is nothing new. There has always been word-of-mouth, always been third-party evaluations of company products and services. What’s different now is the relative ease and speed with which each individual instance can be generated, shared and, in turn, reviewed.