AMES, Iowa – Hackers have attacked news organizations, social media sites, major corporations and government agencies, accessing private documents and personal information. Still most organizations do not prioritize cybersecurity as a strategic competency. A group of Iowa State University researchers says it is time for that philosophy to change. Corporations must develop a proactive strategy so they are not forced to react when there is a threat or security breach.
The cost to a corporation or the customer if hackers gain access to secure information is one factor to consider. With the growing demand for digitally shared data and information, security can no longer be viewed as just a necessary cost of business, said Anthony Townsend, an associate professor of supply chain and information systems in ISU’s College of Business.
“If you have an active and aggressive security team in the organization, you don’t have to get hacked,” Townsend said. “It’s like leaving your door unlocked. If a burglar comes to your house and can just walk through the door, well, that’s easy for him. But if he has to jimmy the lock and there’s good security, he’ll go someplace else.”
Companies are certainly not just sitting idly by, but too often those making the decisions about security lack information technology expertise, said Samuel DeMarie, an associate professor of management. If an organization waits to test the effectiveness of its cybersecurity until there is a problem, it’s too late.
“On a more global perspective, there needs to be more IT expertise at the very top of corporations,” DeMarie said. “The way organizations use information technology is critical to the success of a company. If you’re not doing it well, it doesn’t matter how great your product or service is, that can be enough to shut down a business.”
Connectivity increases vulnerabilities
Connecting instantaneously with other firms is a necessity for businesses to share information quickly and efficiently. Unfortunately, it increases the security risk, said Brian Mennecke, an associate professor of supply chain and information systems. He expects businesses, especially small-to-midsize businesses, to outsource security as the threats to information systems become more complex.
“I think increasingly that’s what we’re going to see with organizations moving more of these sensitive operations that are vulnerable to attack, to platforms where they can trust a vendor to provide a higher level of security than they would be able to provide themselves,” Mennecke said.
On an individual level, Mennecke compares outsourcing security to the decision to purchase a bank lock box. It is a way to protect important documents that you fear cannot be kept safe at home.
“There’s a cost involved, but there’s a greater good to achieve by making sure important documents and resources are maintained as secure,” Mennecke said.
Of course, there is also an inherent risk in outsourcing such a critical function as security. There is no 100 percent guarantee and it is difficult to repair the damage if a third party violates an agreement. The case of Edward Snowden, a former National Security Agency contractor who leaked confidential documents to a journalist, is just one example of what can happen when that trust is broken.
Security as a competitive advantage
Making cybersecurity a priority within a firm’s operational plans is more than an investment; it’s a shift in the organizational culture. DeMarie said a company must weigh that investment with the potential costs and loss of business if hackers successfully shut down its information system.
“A cyber attack could be devastating to some companies,” DeMarie said. “Millions of dollars could be lost if they were shut down. I think a lot of companies just feel like they’ve got it covered. They hope their IT guys know what they’re doing.”
But DeMarie, Townsend and Mennecke see a strong cybersecurity system as a competitive edge to attract new clients and customers.
“A proactive and well-managed security function in the organization means your customer credit card numbers are safe. You’re not in the newspaper because you got hacked recently. It actually appears to convey a specific advantage in terms of customer retention and satisfaction with the firm knowing that you have decent security. It’s not an afterthought,” Townsend said.
Security will increasingly become a greater priority for customers and clients as more business functions are handled online and digitally. Townsend said the organization with the stronger security presence will have the advantage. The three researchers will present their paper, “Strategic Information Systems Security: Definition and Theoretical Model,” in August at the Americas Conference on Information Systems in Chicago.