Make no mistake, a massive corporate data breach could very well end up financially ruining a company.
Corporate data comes in many shapes and sizes, but the questions become what kind of business information is the most sacred and how should you protect it?
The many faces of ‘corporate’ information
According to Code42’s recent CTRL-Z Study, 33% of IT executives today view financial information as their top data protection priority. Should it be made public, the exposure of balance sheets, payroll information, and income and cash flow statements could jeopardise an organisation’s bottom line and share price – not to mention its brand and corporate reputation.
Code42’s CTRL-Z study also showed that 87% of IT decision makers believe losing all corporate data currently held on endpoint devices such as laptops and desktops would be business destroying or seriously disruptive. For example, customer data, often stored on endpoints, should be protected and transferred with just as much care and attention as other sensitive data sets.
Customers are a main source of revenue for any organisation so it stands to reason that their information and intellectual property (IP) should hold equal weighting with other types of business data.
When it comes to building a successful date security strategy, the point is you should not
place overt emphasis on one type of data over another. Get the prioritisation wrong and it could carry stiff financial penalties should a breach occur.
The price tag for a security miscalculation
The price tag for a security miscalculation is high. TalkTalk, for example, has been fined by the ICO a total of £500,000 in the last three years for not doing enough to safeguard customer information across two large data breaches.
The impact of the monetary fine should not be underestimated, but you can bet that the financial fallout from the mass exodus of customers, and associated brand damage, has been the real pain point for the organisation.
Another recent and much bigger loss of customer IP happened in Malaysia, when an unknown hacker obtained millions of sensitive customer records from Malaysian telecoms and network operators, and then published them on the dark web. Needless to say, the associated identity theft of customers and knock-on brand damage was vast.
Soon the penalties for security missteps are going to climb higher. When the General Data Protection Regulation (GDPR) gets enacted into European law in May 2018, you can add another €20m or four per cent of an organisation’s global annual turnover, whichever is greater, to the overall breach bill too. This is an automatic fine if a company has been deemed to not do enough to safeguard sensitive customer or stakeholder IP.
Building a security culture
While there is no magic ‘undo button’ to protect an organisation and its data against a breach, there are steps that can be taken to counteract or mitigate the harmful side effects.
This starts with understanding the flow of different types of data across an organisation. To assume, for example, that sensitive information is accessible only to a specific department and under suitable lock and key would be short sighted.
Multiple business lines and employees at varying levels in the organisation will almost certainly have access to sensitive proprietary company information. Therefore, every device that could come into contact with it must be protected accordingly.
Once the different data types and their usual movement patterns have been identified, it is vital to ensure that employees are aware of, and educated about, a company’s security policy. They need to know the best practices for transmitting and storing various types of corporate data. They also must be given the appropriate tools to do their jobs – tools that have been sanctioned by the IT department as safe to use.
Fail to provide your employees the right tools, and they could well become one of the 52 percent of business decision makers who use unauthorised programs or applications to get their jobs done. Needless to say, this can become very problematic from an infosec perspective.
Make infosec tools work for you
Obviously, a full suite of complementary security tools are a must to safeguard varying types of information outside and inside the walls of the organisation. Antivirus, multi-factor authentication, and endpoint monitoring and backup technologies should be deployed as minimum requirements. It is also essential that when sensitive information is backed up, it remains encrypted at rest on a device or in the cloud, as well as in-transit between these locations.
Additionally, encryption keys should be kept with the organisation on-site, in a secure, preferably offline location. This ensures that if a breach does occur, that information will be in an inaccessible format to prying eyes.
It is important to understand that corporate IP, whatever the type, really is the lifeblood of an organisation. Therefore, it needs to be protected to maintain client and stakeholder trust.
Maintaining good cyber security hygiene, as well as building a security strategy backed by best practices and a full security stack will be key to your success.
Sourced by Richard Agnew, VP UK, I & Northern Europe at Code42