In his (at present) latest blog post Brian Krebs writes about the hack of smart meters of energy companies. Most likely to the great surprise to all in the management functions at these companies, the introduction of smart meters has made the company vulnerable to cyber threats. What seemed to be a great way to save money, is all of a sudden a liability to the company and costing a lot, maybe millions on an annual basis.
Again I’m blogging that cyber security saves money, a lesson that seems to become more and more costly to learn.
Smart meters (and other technological ICT solutions) save money directly. No more meter men and administration by hand, there is direct information on peak use, etc. Fully automated. It seems like a simple add and subtract sum that easily convinced management that this is a ‘smart’ move to make. And it ought to be.
What usually is not on the management decision list seems to be the security around the ICT product’s implementation. If it had been, we would not have been hearing of all the hacks, losses of money and/or (privacy sensitive) data recently as much as we have.
Privacy and money
Krebs’ article is mainly on loss of revenue. In the debate around the introduction of smart meters in The Netherlands the focus was mainly on potential loss of privacy. When is someone taking a shower or at home?, were question privacy activists worried about.
However, both issues are two sides of the same coin. Security, whichever way, has not been a priority for companies, but they are learning the hard way that it should. And fast, in public, with pants down.
Privacy does not seem a major issue to companies. Otherwise they would have stepped up their security by now. When it is starting to cost major bucks, like in Krebs’ example, security may well become a trending topic in board rooms. If it doesn’t now, then what does it take to do so? As a result privacy will profit from these decisions.
Security saves money
Money spent on security now, equals saving money in the future. Any company deciding on ICT solutions should as of today take security into account. All that were too late to do so, have to do some backtracking and amend their ways to save money in the future.
Security is also a product to advertise with, to make a distinction with and spares a company embarrassments.
Again we have an example of an ICT product being deployed by a company without overlooking the consequences for itself, let alone for it’s customers. Just because it’s technically possible to do so and saves money too, or so it seemed. In this example smart meters. This is an attitude that needs to change, but how?
My best effort here is that a chief information security officer needs to be in place and (s)he has to have enough clout within a company to be able to make a difference. That should help as a start.
Wout de Natris, De Natris Consult
Leiderdorp, 10 April 2012