The Impact of Data Breaches and Hacking

A Q&A with Professor Michael Siegel

Data breaches and hacking incidences affect a myriad of entities in many industries, such as financial, retail, and technology. Analysis Group Principal Almudena Arcelus discussed the impact of these incidences with affiliate Michael Siegel, a Principal Research Scientist at the MIT Sloan School of Management, the Co-Director of the PROductivity from Information Technology (PROFIT) Project, and Associate Director of MIT’s Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity (IC)3. 

Almudena Arcelus:  Based on your recent research and interactions with industry stakeholders, what are the most pressing issues on the minds of company boards and executives with respect to privacy and data security? 

Michael Siegel: Principal Research Scientist, MIT Sloan School of Management

Professor Siegel: Most of the questions we are getting from board members through information technology executives are related to what is an appropriate cybersecurity framework. Cybersecurity is a mostly non-regulated field in which there are many issues to be discussed, including risk, compliance, security, and best practices. There is always a question of how much to spend and where to allocate resources.

Ms. Arcelus: Based on your research, what would be your recommended approach for how companies can minimize their exposure to the potential disclosure of sensitive data through a breach?

Professor Siegel: First and foremost, cybersecurity is about people, process, and technology. The largest emphasis is on people because most breaches – some say as much at 90% – have been aided and abetted, knowingly or unknowingly, by insiders in the organization. Most organizations have made building a culture around security a major priority. Many are using the NIST (National Institute of Standards and Technology) Cybersecurity Framework as an overall guide for understanding cyber-readiness. 

Ms. Arcelus: Are there any particular recommended cybersecurity practices and procedures for companies to employ to help combat the threat posed by hackers?

Almudena Arcelus: Principal, Analysis Group

Professor Siegel: The major areas of focus for an organization with respect to any cybersecurity threat are prevention, detection, and response. As hackers grow increasingly sophisticated, more and more organizations are realizing that prevention only goes so far. These organizations realize others will breach their systems and those breaches can go undetected for months or even years. Clearly, response capabilities are increasingly important and represent a significant budget item for leading organizations. 

Ms. Arcelus: What are some emerging techniques that you are seeing companies implement to help limit the challenging threat from cybersecurity breaches?

Professor Siegel:  I think one very exciting area of research and practice relates to efforts to limit the number of vulnerabilities available to potential hackers (black hats). In recent years, hundreds of technology-focused organizations (e.g., Google, Facebook, Microsoft, Uber) have launched “bug bounty” programs. Under these programs, an organization pays friendly hackers (white hats) to identify its vulnerabilities. The vulnerabilities are then patched (though there can be problems when this is delayed) and as a result their software is safer to use. 

Non-technology companies are also beginning to offer bounty programs. United Airlines has had an active public bug bounty program for nearly a year, and many organizations have private programs. The Department of Defense through HackerOne (a platform for bounty programs) launched “Hack the Pentagon” in April 2016. Finally, FCA (Chrysler) just announced a bounty program for automobile systems.

Notably, reducing the number of vulnerabilities through such programs only works if the organizations have the ability to patch the bugs quickly. Not doing so raises a whole new liability concern for these organizations. 

Ms. Arcelus: So, given what we’ve just discussed, where can companies expect to see the best return on investment for their cybersecurity infrastructure?

Professor Siegel: People, people, people. Without a strong security culture, an organization will not be effective in implementing its security protocols. For example, phishing (emails with links intended to allow malware to be loaded on a computer) have over 10% click-through rates in many organizations. All the efforts spent on securing the organization only work well if we don’t give away the keys to the house. 

Beyond this, a focus on allocating resources to prevention, detection, and response is crucial. Relying on a reactive mode of operation will not allow us to get ahead of those that threaten our organizations. ■