Skip to contentSkip to navigation

Protecting Your Company from Identity Thieves and Hackers in a Digital World

Recent events have shown that companies are always vulnerable to internal and external attacks on their digital data. They need a holistic plan to protect themselves.

(originally published by Booz & Company)

During the past several months, protecting customer data has again become a hot topic for many companies. On a frequent basis, new data leaks have been reported in the press, and even leaders in the digital space have been affected. Just a few weeks ago, an employee working in IT for Vodafone Germany hacked the company, stealing the personal data of 2 million customers. And at the end of 2012, a CD-ROM with confidential data on German customers of the Swiss bank Julius Baer found its way to the German tax authorities.

Fortunately, not all recent instances of data theft have been as severe as these examples, but they clearly show that many new threats are not being mitigated effectively by regular security systems. It is also apparent that most companies are not even prepared for the more common risks—such as when traditional retailers lose data at the point of sale, or confidential customer data files with personal bank information are found in a shop’s trash bin. And in addition to the risks from criminal behavior and careless employees, there is the danger of getting attacked by professional hackers, be it for industrial espionage by professional data wholesalers or even countries hacking each other’s sensitive information (something that has become more evident during the ongoing NSA espionage controversy). Depending on the intellectual property of a company, this might a viable threat.

Most security systems are centered around firewalls, which supposedly save companies and their confidential data pools from outside hacking threats. But these approaches are limited. As the world becomes more and more interconnected, companies sometimes find it necessary to share their data pools with each other, opening them to the outside world, and making them more vulnerable to threats, despite safeguards like firewalls. This vulnerability is rooted in three underlying trends:

• Digital customers want companies to provide a best-in-class experience along all channels, including modern sales and service channels like online and, increasingly, mobile. As a result, all these channels now need to be integrated with the core operations platforms.

• Providing customers with personalized offers increases the likelihood for sales, which increases the need for social media and external platforms to be connected to the company’s internal IT.

• A globally interconnected world requires the tight integration of many third parties, such as suppliers and distributors.

In addition to the risks related to opening a company’s internal IT to the outside digital world, new threats are coming from within:

• Most modern companies increasingly use outsourcing providers or external suppliers that have access to critical data and even manage it, in some instances.

• Bring-your-own-device concepts allow employees to enter the firm’s network with their own mobile devices. This can reduce costs and increase employee convenience, but it also increases the complexity of securing confidential data.

• As customer data and other sensitive and important information become more valuable, it increases the likelihood for malicious employees to sell the firm’s confidential data to competitors.

Given these threats—both from the outside and the inside—companies have to engage in three critical areas to develop the most effective security system for their business and to successfully overcome the current security challenges:

• Data security must become a board topic: Given the exposure to and the risks associated with a company’s reputation and its share price, data security needs to be handled at the highest level.

• Data security must be handled holistically across functions: Data security is much more complicated than installing a few IT firewalls. There must be a company-wide and cross-functional plan to address digital security risks, as well as mitigation and action plans in place that include human resources, finance, marketing and communications, operations, IT and many other departments.

• Data security should be thought of as leveraging a risk-based approach: There’s no way to mitigate all risks, but there is a need to understand and evaluate all risks (including internal and external threats), prepare for the most likely and the most impactful ones with proactive measures, and have a reactive action plan in place for the unlikely ones.

If data protection is done right, it can even become a differentiator in the market. It can also be actively promoted, and sometimes can even be used as part of the product offering, just as German email providers are currently promoting German legal data protection standards versus foreign competitors. Proactive, preventative measures can set companies apart from one another, and firms with more robust digital security measures could have an advantage over their competitors in attracting customers.

We want to hear from you. What is your company doing to protect its sensitive data? Tell us about your own efforts in preventing identity theft and hacking.

Andreas Spaene

Andreas Spaene is a partner with Strategy& based in Frankfurt. He is an expert in digital-enabled, strategic transformation programs in the trade, consumer goods, and telecommunications industries.

Nils Melcher

Nils Melcher is a principal with Strategy& based in Berlin. He specializes in large-scale ERP transformations and e-commerce/multichannel IT architectures in IT and consumer & retail.


Get s+b's award-winning newsletter delivered to your inbox. Sign up No, thanks
Illustration of flying birds delivering information
Get the newsletter

Sign up now to get our top insights on business strategy and management trends, delivered straight to your inbox twice a week.