Shareholders demanding cyber safeguards

The latest AMP Capital 2014-2015 Corporate and Governance report finds that shareholders are increasingly seeking assurances that the companies they invest in are considering data and cyber security at board level.

The report argues that given the significant reputational and financial implications of cyber security breaches, cyber and data security can no longer be considered purely a technology issue and should be included in discussions between shareholders, company management and boards. 

Karin Halliday, manager, corporate governance at AMP Capital, said that while data being collected and stored is beneficial, it can also be detrimental.

“Companies need to be increasingly vigilant in protecting the integrity and privacy of data and systems. While it may be costly for companies to implement processes and systems to adequately protect their data, not doing so could potentially be even more costly. News of data breaches can travel quickly and put a company’s reputation and financial stability at immediate risk.”

AMP Capital’s research found data security matters now, more than ever before. The report offers recommendations for precautionary measures for companies to take, including:

  • Identify the data, intellectual property and processes that are core to the success of the company and which must be protected.
  • Understand how security breaches could occur.
  • Educate staff on the importance of data and cyber security, including the implications of breaches.

Also highlighted in the report were numerous ways systems and data could be compromised. Ninety per cent of breaches can be put down to the actions of people.

Cyber and data threats could come from the following areas:

Internal threats

  • Staff being careless: accidentally sending emails to the wrong people, losing a memory stick, sending data via public WiFi.
  • Staff being malicious: information sent to a competitor, sensitive data improperly accessed by system administrators or IT personnel, fraud and disgruntled employees.

External threats

  • Social engineering that relies on staff being tricked by people to act contrary to their proper security processes.
  • Phishing, where third parties attempt to gain access to sensitive data by using websites or emails that appear legitimate.
  • An ex-employee accessing data.
  • A thief stealing a laptop computer.
  • Hackers or competitors monitoring data flows, or espionage.
  • Malware and viruses. (CryptoLocker is an example of malware – once activated it encrypts files and, akin to a kidnapping, payment of a ransom is required to regain access to files.)

Other threats

  • Natural disasters and physical equipment failure.