Why Information Security should matter to you.
July 26, 2016
Why should you be concerned about data security?
The risk of data loss may not be viewed as a high priority in all organizations. However, it is viewed as a high priority by their customers, vendors, clients, employees and trading partners. So by extension, the damage to brand, customers and employees is a critical issue to the success of every company, even those who do not have a full appreciation for the risk of their own information loss. The potential damage to reputation, not to mention the cost of fines and incident response, should be regularly discussed by every executive team.
The average cost of a data loss incident in the United States is $3.8 million, per a benchmark study in 2015 by Ponemon Institute. The cost to affected businesses averages $154 per lost data record. And according to Privacy Rights Clearinghouse, more than 121 million data records were compromised in the U.S. in 2015. This represents an increase of more than 70 million compromised records, nearly a 150% jump, over just the past two years.
The simple fact is the people you do business with have the expectation their sensitive data will be handled with due care and that you will take appropriate steps to safeguard their information. These business partners want to know they will not be put at undue risk when connecting with your systems and sharing files in the normal course of doing business together.
One trap the business operator may fall into is lacking the imagination to value data in the same way the criminal does. For example, most people would be surprised to learn their own health care record could fetch as much as $28 on the black market. A criminal can use your stolen medical history to submit fraudulent medical bills. Due to this, medical records could be worth 10 times more than a stolen credit card record.
Another common mistake the business owner rarely considers is what they would be willing to pay to have access to their own business data. In an increasingly common scheme, the criminal finds a weak point in to a system, encrypts all of the business’s electronic records, and then demands the owner pay a “ransom” to regain access to their own systems.
State sponsors of industrial espionage are real. Intellectual property, trade secrets, and anything else of value are foreign government targets. One country in particular is believed to have committed a multi-billion dollar budget to their economic espionage program. Victims range from the small operator to industry giants like Google.
Common schemes prey on the lack of employee training to defend against the fraudsters. Some examples include social engineering to get the employee to unknowingly expose data, “spear fishing” schemes that launch harmful email attachments onto the host’s system, and carefully disguised emails sent to finance managers (who believed they were written by their own company’s CEO) with instructions on “paying an invoice”.
These are just a few of the many reasons why businesses must closely examine the controls in place for protecting their information, networks, and systems.
Some of the critical data which needs to be protected:
- Passwords
- Customer lists
- Business plans
- Proprietary processes and data
- Pricing lists
- Contracts
- Employee contact information
- Employment records
- Health care records
- Credit card data
- Financial records
- Social Security numbers
- Payroll data
- Research and Development
A review of a business’ risk portfolio is an important first step in formulating an overall information security strategy. This will keeps the business records safe from tampering or alteration, make sure that critical information is available when needed, and lower the likelihood that critical data falls into the wrong hands.