Why Cloud Security Matters For Business Leaders
1. It’s your responsibility
When you use public cloud services, your cloud service provider (CSP) is not the only one responsible for handling security. In almost all cases, CSPs follow a shared responsibility model for cloud security. That means, as a customer, you also have your own share of responsibilities.
While your CSP is in charge of securing the underlying (mostly physical) infrastructure, like the physical servers, physical network, hypervisors and data center premises, you are in charge of securing whatever you put in the cloud. In an Infrastructure as a Service (IaaS) cloud model, for instance, you’re responsible for securing your operating systems, applications, workloads and (most importantly) your data.
To effectively secure your cloud workloads, you first have to know what you’re putting into your cloud infrastructure. This can be done through data classification and other secure data management practices. Data classification helps your company identify confidential information such as employee and customer personal information (e.g. social security numbers, credit card data), contracts with suppliers, organizational charts, trade secrets and so on.
By identifying which workloads involve confidential or sensitive information, you can easily determine what needs to be secured. But you can only classify the workloads that you and your IT department know about.
There are likely other cloud workloads in your organization that exist without your IT department’s knowledge and approval. The accessibility and user-friendly nature of cloud computing solutions have accelerated the proliferation of shadow IT (the practice of using IT solutions without the organization’s explicit approval). In a global survey conducted by Brocade in 2015, 83% of the respondents – all CIOs – expected unsanctioned procurement of cloud services to rise.
Because cloud services acquired through shadow IT aren’t managed by your IT department, they are less likely to be monitored and properly secured. In fact, these workloads could expose your corporate network to a lot of unexpected vulnerabilities. As such, it’s management’s responsibility to rein in shadow IT. There are tools (e.g. cloud access security brokers) your IT teams can employ to seek out signs of shadow IT.
As a business leader, it is imperative to understand your organization’s cloud security responsibilities and then make sure proper policies are in place. Being fully aware of your organization’s share of responsibilities will enable you to direct resources where they are most needed and minimize risks more effectively.
2. Employees can either be assets or liabilities
Employees play a critical role in the overall security of your organization. In fact, most of the cyber attacks experienced by companies every year are indirectly caused by a lack of broad internal awareness and understanding of good security practices. Consider the graph below, which shows the types of cyber attacks experienced by companies in 2016 and 2017.
As shown, about 70% of companies surveyed experienced phishing and social engineering attacks. These types of attacks aren’t targeted at network devices or IT systems. Rather, they’re specifically targeted at people in the organization. Social engineering and email are both deceptive acts intended dupe people into providing confidential information like login credentials or credit card data.
Because these acts often appear to originate from a reputable source, employees who lack security awareness can be easily fooled into providing the information the attacker wants to obtain. The impact to your organization might not be that significant if the victim only discloses, say, the password to his personal bank account. But what if the password belongs to a corporate account?
Or, worse, what if it’s the same password used by the victim for a network account with administrative privileges? By using the stolen credentials, attackers could infiltrate your network and carry out additional privilege escalation to gain a deeper foothold into your infrastructure and, ultimately, access your crown jewels. As you can see employees who are gullible, uneducated or lazy – in a security sense – can be serious security liabilities.
Even if you look into the other types of cyber attacks shown in the graph above, a significant portion are also caused by end user security missteps. Ransomware attacks, for example, which exhibited the largest year-on-year growth among the attacks featured, are largely caused by either intentional or drive-by downloads – both of which require some kind of human interaction or lack thereof.
So where do you, as a leader, come in? Employees can only cease to become security liabilities once they have learned to adopt a security culture. In order for a security culture to permeate throughout your organization, it has to be incorporated into every step of the employee journey: hiring, onboarding, day-to-day activities, and include steps that occur when the employee leaves (wherein you have to ensure they no longer have access to corporate data).
For this to work, you would need to involve everyone from HR, to the heads of various business units, down to the employees themselves. This can only be achieved if the security culture starts from the top. Your role, as a C-level executive or business leader, is not only to initiate the process but to stay the course and constantly demonstrate the importance of embracing that culture.
3. There are serious legal and regulatory risks
A weak cloud security program can have regulatory and legal repercussions. Depending on the type of data you’re handling, the industry your business belongs to, or the state or region you’re operating in, your company may be governed by certain data protection/security laws and regulations.
For example, if you operate in the US healthcare industry, you will have to develop safeguards for securing any electronic protected health information (ePHI) entrusted to your care and meet a laundry list of HIPAA requirements. Or if you’re handling credit card data, you may likewise have to meet PCI DSS requirements.
Failure to do so can be costly. Last year, Advocate Health Care had to agree to a $5.55 million settlement with the HHS’ Office for Civil Rights as a result of HIPAA violations. Just so you know, Advocate wasn’t the only HIPAA-covered entity compelled to pay a multi-million-dollar settlement fine in 2016.
In addition to direct fines, most of these data protection laws and regulations also have breach notification requirements that not only amount to additional costs but can also damage your company’s reputation. We’ll elaborate on this in the next section.
Last but not the least, you could also face lawsuits from customers impacted by any data breach incident.
Regulatory compliance is an expensive exercise. One that requires additional resources as well as full cooperation of everyone involved. It is therefore critical for CEOs, CFOs, and other business leaders to support their CCOs, CISOs, CSOs, legal counsel, and others in the organization who will be in the thick of compliance activities.
4. Your reputation hinges on it
Data breaches, particularly those that involve customer data, can be a brand image nightmare. These incidents negatively impact customer trust and loyalty, and can eventually lead to increased customer churn and decreased new business.
In a 2015 survey conducted by PWC, the respondents were asked what made a particular incident ‘the worst’. Sixteen out of the 39 organizations who responded said ‘damage to their reputation’ had the greatest impact. The paper added that this was a growing concern, up from 30% in 2014 to 41% in 2015.
That’s why enterprises would love to keep data breaches under wraps as much as possible. Of course, due to legal mandates, disclosure is often required. In fact, some US state data breach notification laws have specific grace periods – ranging from 30 to 90 days – under which affected individuals have to be notified. Once the breach notifications reach the general public by way of news media, reputation damage becomes inevitable.
Data breaches don’t just ruin a brand’s image. They can also ruin your personal reputation as the head of an organization. C-level executives from a wide range of companies, including Target, Avid Life Media, and Sony Pictures, have been forced to resign after their companies suffered a data breach
Clearly, the impact of data breaches on your company’s reputation as well as your own personal reputation shouldn’t be taken lightly. As with every other aspect of your organization, the cyber security buck ultimately stops with you.
5. It impacts your bottom line
The effectiveness of your cyber security program can have a direct effect on your company’s bottom line. To understand how, let’s first discuss the financial consequences of a weak or non-existent security program; one that makes an organization vulnerable to a cyber attack.
Growing cost of cyber crime
Cyber attacks can have serious financial consequences and, according to the 2017 Cost of Cyber Crime Study jointly developed by the Ponemon Institute and Accenture, those consequences are getting worse. We can see this in the graph below, which was taken from that same study.
It shows the global average cost of cyber crime over a period of 5 years. Notice how the percentage change in average cost grew by 62% over that period and how the slope has actually gotten steeper in the last two years.
Where the costs are coming from
But where are these costs coming from? Well, when a cyber attack happens, it triggers a series of activities within a company.
- First, the company scrambles to contain the attack.
- Second, it conducts a forensic investigation to identify the source, extent, and magnitude of the incident.
- Third, it carries out recovery undertakings.
- And fourth, the organization sets into motion initiatives aimed at reducing the chances of another attack. These may include purchasing new security solutions as well as establishing more stringent controls.
All these activities cost time and money. Worse, some of the monetary costs grow with time. For example, the longer it takes for a data breach to be contained, the more expensive it becomes. This correlation is depicted in the graph below. Borrowed from the 2017 Cost of Data Breach Study, the graph shows relationships between the mean time to contain (MTTC) and the average total cost measured in millions of USD.
In most cases, companies don’t have the in-house talent pool to handle these types of incidents. Thus, they’re usually forced to hire cyber security specialists to take the lead in these activities. The problem is, because the supply of skilled cyber security professionals is disproportionately lower than the demand, these specialists charge premium rates. Third party investigators, for instance, typically charge anywhere from $100 to $1,000 per hour.
Furthermore, activities related to containing, investigating and remediating a breach can be highly disruptive and may impact the productivity of various business units. In one of the theoretical scenarios featured in a Deloitte paper on the business impacts of cyber attacks, a US health insurer that suffered a data breach was forced to halt physician access to its patient care application as the company conducted an investigation.
While the investigation was underway, the company, its physicians and its providers had to resort to manual methods to validate coverage and claims. The estimated cost due to that particular operational disruption was pegged at $30 million.
If a cyber attack results in a data breach involving personally identifiable information (PII) protected by state or federal law, the company will most likely have to fulfill breach notification requirements. This typically entails informing affected customers via email, phone calls, and through announcements in prominent media outlets.
It’s these public disclosures of the breach that can cause reputation damage. As mentioned earlier, data breach incidents that involve customer data can lead to increased customer churn. Once these customers leave, they take along with them potential revenue.
The Ponemon Institute study previously referenced in this section found that organizations that lost less than 1% of their customer base incurred an average total cost of $2.6 million, while organizations that lost 4% or more incurred an average cost of $5.1 million.
The problem is not limited to customer churn. Potential customers who learn of the breach will likely avoid the company as well. Naturally, a reduced number of customer acquisitions will also lead to lost opportunities and revenue. To mitigate the impact of negative publicity, some companies adopt strategies to rebuild their reputation – such as offering free credit monitoring or identity theft protection services – but these efforts cost money as well. A 2014 paper by Zurich Insurance estimates such services to range between $10 to $30 per customer.
Stolen PII isn’t the only type of information that could amount to huge costs. Equally costly are stolen trade secrets, manufacturing processes, data analytics reports, blueprints, source codes, and other intellectual property (IP). For some companies, intangible assets like IP make up at least 80% of their market value. If these types of information fall into the wrong hands, a company can quickly competitive advantage and devalue its brand.
Cost of downtime
Cloud security isn’t only about defending against cyber attacks. It’s also about maintaining high levels of availability. To be clear, unannounced downtime is unavoidable. Even the most mature cloud infrastructures aren’t immune to outages.
Gartner estimated downtime to cost more than $300,000 per hour. That was three years ago. We could imagine, since more business operations are now highly dependent on network uptime, these costs will only continue to grow.
Downtime doesn’t just cause customer dissatisfaction and missed opportunities. If the problem lies on your side of your cloud provider’s shared security responsibility model, downtime can be accompanied by the time-consuming tasks of troubleshooting, escalating and remediating the issue.
Because these tasks will have to be carried out by your already overstretched IT team or a third party you hire to help, you will incur both indirect and direct costs. In some cases, you might even need to add disaster recovery costs.
Now that you know it’s possible to quantify the costs of cyber incidents, you should be able to make estimates tailored for your own organization. Once you factor those into your risk analysis, you can make more informed decisions as you develop your own security program.
The continued digital transformation of your organization means issues that historically would have been relegated to IT will become increasingly important to the C-suite. The more you steer your organization toward a cohesive plan today, the better positioned you will be to mitigate risk and guard your corporate reputation – as well as your bottom line.
 Ponemon Institute, 2017 Cost of Cyber Crime Study, 2017
 PWC, 2015 Information Security Breaches Survey
 Zurich Insurance Company, The good, the bad and the careless: An overview of corporate cyber risk, December 2014
 Deloitte, Beneath the surface of a cyberattack – A deeper look at business impacts, 2016
 Zurich Insurance Company, The good, the bad and the careless: An overview of corporate cyber risk, December 2014