With all the public incidents where hackers attacked various organizations, it is still apparent companies do not prioritize cyber security as a strategic competency.
Corporations must develop a proactive strategy so they do not have to react when there is a threat or security breach, said a group of Iowa State University (ISU) researchers.
The cost to a corporation or the customer if hackers gain access to secure information is one factor to consider. With the growing demand for digitally shared data and information, companies can no longer considers security a necessary cost of business, said Anthony Townsend, an associate professor of supply chain and information systems in ISU’s College of Business.
“If you have an active and aggressive security team in the organization, you don’t have to get hacked,” Townsend said. “It’s like leaving your door unlocked. If a burglar comes to your house and can just walk through the door, well, that’s easy for him. But if he has to jimmy the lock and there’s good security, he’ll go someplace else.”
Companies are certainly not just sitting idly by, but too often those making the decisions about security lack information technology expertise, said Samuel DeMarie, an associate professor of management. If an organization waits to test the effectiveness of its cyber security until there is a problem, it’s too late.
“On a more global perspective, there needs to be more IT expertise at the very top of corporations,” DeMarie said. “The way organizations use information technology is critical to the success of a company. If you’re not doing it well, it doesn’t matter how great your product or service is, that can be enough to shut down a business.”
Connecting instantaneously with other firms is a necessity for businesses to share information quickly and efficiently. Unfortunately, it increases the security risk, said Brian Mennecke, an associate professor of supply chain and information systems. He expects businesses, especially small-to-midsize businesses, to outsource security as the threats to information systems become more complex.
“I think increasingly that’s what we’re going to see with organizations moving more of these sensitive operations that are vulnerable to attack, to platforms where they can trust a vendor to provide a higher level of security than they would be able to provide themselves,” Mennecke said.
On an individual level, Mennecke compares outsourcing security to the decision to purchase a bank lock box. It is a way to protect important documents that you fear cannot stay safe at home.
“There’s a cost involved, but there’s a greater good to achieve by making sure important documents and resources are maintained as secure,” Mennecke said.
Of course, there is also an inherent risk in outsourcing such a critical function as security. There is no 100 percent guarantee and it is difficult to repair the damage if a third party violates an agreement.
Making cyber security a priority within a firm’s operational plans is more than an investment; it’s a shift in the organizational culture. DeMarie said a company must weigh that investment with the potential costs and loss of business if hackers successfully shut down its information system.
“A cyber attack could be devastating to some companies,” DeMarie said. “Millions of dollars could be lost if they were shut down. I think a lot of companies just feel like they’ve got it covered. They hope their IT guys know what they’re doing.”
But DeMarie, Townsend and Mennecke see a strong cyber security system as a competitive edge to attract new clients and customers.
“A proactive and well-managed security function in the organization means your customer credit card numbers are safe. You’re not in the newspaper because you got hacked recently. It actually appears to convey a specific advantage in terms of customer retention and satisfaction with the firm knowing that you have decent security. It’s not an afterthought,” Townsend said.
Security will increasingly become a greater priority for customers and clients as more business functions end up handled online and digitally. Townsend said the organization with the stronger security presence will have the advantage.