When Your Company's Security Walls Are Breached

Standard Chartered Bank recently caused a stir in Singapore when it reported the data theft of the February 2013 bank statements of 647 individual clients. The bank’s own IT and data security system was not at fault. It was, rather, one of its service providers – Fuji Xerox – that discovered “unauthorized access by a third party” of a server dedicated to printing the monthly statements of Standard Chartered private banking clients.

“We share the bank’s concerns on the theft of information on this system, and deeply regret the incident,” said a contrite Bert Wong, CEO, Fuji Xerox Singapore. “This is the first time in Fuji Xerox Singapore's history that such an incident has occurred.” A forensic team is now conducting “a thorough review.”
The Singapore incident is only the latest in a growing line of security breaches in Asia and elsewhere. Security breaches are on the rise, warns Big Four accounting firm PwC in a recent study. In the past 12 months, the number of incidents detected has increased by 25% compared with the previous year.
The financial costs incurred by such incidents are also going up, due to the cost and complexity needed to respond to the security breaches, including more stringent regulatory scrutiny, potential legal action and compensation to affected customers.
Average losses
The online PwC study, entitled The Global State of Information Security Survey 2014, was conducted by PwC, CIO magazine and CSO magazine from February to April 2013. The survey centered on topics related to privacy and information security safeguards and their alignment with the business.
More than 9,600 responses were garnered from C-suite executives (including CEOs, CIOs and CFOs) and directors of IT and security in 115 countries. Nearly four out of ten of respondents hailed from companies with revenue exceeding US$500 million.
Thirty-six percent were from North America, followed by Europe (26%), Asia Pacific (21%), South America (16%) and Middle East and Africa (2%). Respondents hailed from a variety of industries, including technology and financial services.
According to the study, the average losses from security breaches have gone up 18% in 2013 over 2012, with large liabilities increasing at a faster rate than smaller losses. Respondents reporting losses of more than US$10 million were up 51% from 2011.
Industries that reported the greatest financial losses from security incidents were oil & gas, pharmaceuticals and financial services. The percentage of respondents who suffered losses ranging from US$100,000 to US$999,999 went up from 19% in 2012 to 24% in 2013.
Emerging risks
The survey results also showed that continued investments in security products based on outdated models could have led to an increase in the percentage of major business stakeholders who are unaware of the number of security breaches their organization has suffered. The average number of incidents rose by 25% to 3,741 in the past 12 months, accompanied by an increase in percentage of respondents who are ignorant of the fact (14% in 2012 vs 18% in 2013).
“Traditional methods such as firewalls and securing infrastructure remain useful, but companies need to deal with emerging risks, particularly as technology grows more widespread,” says Mark Jansen, a Singapore-based risk partner at PwC.
Of the security incidents cited by respondents, employee and customer data appear to remain popular targets for attackers. Some 35% of respondents reported that employee records had been compromised while 31% said customer records had been compromised or were somehow unavailable during the past year.
Twenty-nine percent said internal records had suffered loss or damage, a greater than 100% jump over last year. Identity theft, which involves the pilfering of client or employee data, came in at 23%.
Technological tools
Quite disturbingly, the PwC survey found that many organizations have not implemented technological tools that could provide insight into risk and help mitigate it. Of respondents who answered that their organizations lack security safeguards, 52% said their company had not implemented tools for behavioral profiling and monitoring.
That’s unfortunate. “Using data analytics to examine user behaviors could help organizations close security gaps,” says Jansen.
Furthermore, organizations that have processes in place to safeguard high value information seem to be on the decline. Just 17% of respondents said their organizations practice classifying the business value of data, down from 22% in 2011, while just 31% of respondents conduct regular reviews of users and access, down from 37% in 2011.
All that said, there is a bit of good news. Organizations have invested in some useful technologies, including malicious code detection tools (74%), vulnerability scanning tools (62%), and data loss prevention tools (58%). But as PwC notes, much more needs to be done, particularly with data analytics.
Behind in mobile
The survey also noted that security policies for mobile devices have not quite kept pace with the rate at which those same devices are proliferating organizations. Respondents who said their organization has implemented mobile security strategies rose just two percentage points to 42% from 2012. The number of companies that have implemented some form of management software for mobile devices rose just a percentage point to 39%.
Interestingly, the percentage of respondents who said their company banned user-owned devices fell three percentage points to 30%, hinting at organizations’ acceptance of users bringing their own devices to the office. “Firms are starting to realize that they have to go along with users; they’re learning that they have to manage risk instead of avoiding it,” says Shong Ye Tan, an IT risk and cybersecurity leader at PwC.
The lack of collaboration with other industry players was also found to be a barrier to improving firms’ security postures. Survey results showed 28% of respondents do not collaborate with others.
Some reasons cited for not doing so include not wanting to draw attention to potential weaknesses (33%), concerns that a competitor would use information gained against the organization (28%), general distrust of competitors (22%) and that organizations with more resources would use collaboration to their advantage (16%).
According to Tan, this lack of collaboration is a pity, as collaboration is a powerful tool for achieving business effectiveness. “If one party encounters incidents and shares the experience with others, everyone benefits,” states Tan.
Risks from outsourcing
The Standard Chartered data theft case has highlighted the extra vigilance organizations need to practice when dealing with outsourcing providers.
PwC recommends that organizations ask these key questions when evaluating the capabilities and performance of outsourcing providers:
Does your outsourcing partner
  • provide you with regular reporting on service levels and incidents?
  • proactively look beyond your Service Level Agreements (SLAs) to provider better security/service?
  • understand your needs for maintaining regulatory compliance?
Does your business
  • conduct regular operational design effectiveness in relation to outsourcing partners?
  • assess outsourcing partners employees including competency and background
  • assess outsourcing partners for Data Loss Prevention (DLP) capability?
It’s a bit too late for Standard Chartered, although its recent experience should provide good lessons going forward. For now, the bank is following the best practice playbook.  
“The confidentiality and privacy of our clients are of paramount importance to us, and we take this incident very seriously,” said Ray Feguson, CEO of Standard Chartered Bank Singapore. “Customer data protection is our responsibility and we sincerely apologize to all our customers and specifically to our Private Bank clients who have been affected.”
All 647 private banking clients have been contacted. Standard Chartered emphasized that no wholesale banking, SME and retail customers were affected. Both the bank and Fuji Xerox said they were working closely with the police, who are conducting an investigation.
Regulatory fallout
For its part, the Monetary Authority of Singapore said it would review Standard Chartered’s report on the data breach to decide whether regulatory action against the bank is warranted. The central bank reiterated its requirements for financial institutions to conduct regular vulnerability assessment, penetration tests and external audits of the effectiveness of controls.
“MAS takes a serious view of such threats and has stringent requirements in place for FIs to protect the security of their IT systems and confidentiality of their client data,” it said in a statement. “These requirements apply regardless of whether such client data are processed in-house or at third party service providers.”
It all just goes to show how potentially costly and complicated a security breach can be – and why it is so important for CFOs, CIOs and other C-level executives to focus on prevention.
About the Author

Melissa Chua is a Contributing Editor at CFO Innovation.