Becky Quick is an anchor on CNBC’s Squawk Box.
This is the era of big data. Corporate America is collecting so much information on us that companies don’t know what to do with it all. But are they protecting it?
The resounding answer lately seems to be no. Every time you turn around there’s a new tale of espionage, with thieves plundering our personal information — our bank accounts and PIN codes, addresses, and phone numbers. Data breaches at Target, Neiman Marcus, Barclays, and Yahoo’s email service alone have yielded information on more than 70 million consumers in recent months. And those are just the attacks we know about.
It’s not that the data pirates are new to the world of business. It’s just that so much more business activity takes place online these days that the bounty is heftier — and more tempting — than ever before. Plus, today’s criminals are vastly more sophisticated. “It wasn’t that long ago that it was bored teenagers hacking into systems,” says tech entrepreneur and investor Marc Andreessen. “If you were a CEO, you could ignore technology issues, unless your printer was broken, and then you’d call the tech guy.”
But those days are gone for good. Today every big company — no matter the industry — needs a data-protection plan, Andreessen says. In fact, his venture capital firm, Andreessen Horowitz, is investing in firms that help corporations guard against cyberthreats and attacks. But Andreessen also kicks the tires to make sure the companies his firm backs, no matter how small, have their own robust security systems in place. Indeed, it’s a good proxy for a startup’s IT chops. “The more technically competent the company, the easier time it has fighting off attackers,” Andreessen explains. (More on Andreessen’s partner, Ben Horowitz, here.)
Some industries figured that out faster than others — frequently out of necessity. The big banks, for instance, have to fight off attacks daily. Often the hackers are employing massive computing power, and sometimes they are backed and supported by nation states, industry insiders say. “These crooks are brilliant,” says Jamie Dimon, chairman and CEO of J.P. Morgan Chase. “It’s a battle, it’s ongoing, and it’s only going to get tougher.”
And more expensive too. In his annual letter to shareholders last year, Dimon wrote that his bank employs more than 600 people across the firm and spends about $200 million a year to protect its data and fend off cyberwarfare. But that was probably a lowball estimate, he tells me, adding that he expects the figure to climb by 20% to 40% a year over the next several years.
While the banks are keeping vigilant watch, the whole ecosystem is only as strong as the weakest link. The Target breach, for example, was traced back to credentials stolen from a vendor. And that’s where the problem really gets complicated: Who will protect us from businesses that haven’t made cybersecurity a priority? It sounds like a job for the government, which has the authority to more tightly regulate businesses and require far greater disclosure when an attacked company loses customer data.
Of course, before the government can start throwing stones, it has to get its own glass house in order. For weeks after the rollout of the Obamacare enrollment website HealthCare.gov, security experts warned that hackers with a bare minimum of coding expertise could easily reset your password or hijack your account. And then there’s the Internal Revenue Service, which in 2011 sent out almost $4 billion to people who used stolen identities to file bogus tax returns. Using stolen Social Security numbers, the thieves claimed returns for prisoners, children, and dead people.
In the end, it’s likely to be angry consumers who end up forcing the issue on companies with lax security policies. After years of blissful ignorance, Americans are awakening to the huge threat from online crooks — and businesses that play fast and loose with consumers’ private information. Hopefully, corporate America is getting the wake-up call too. The bottom line: If you can’t protect it, don’t collect it.
This story is from the March 17, 2014 issue of Fortune.
