The war on data breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-age.com/technology/security/123459653/war-data-breaches

A recent survey by the Ponemon Institute highlighted that poor
communication, a need for more leadership and lack of board oversight are
just some of the key reasons why some businesses are now at greater risk of
an information data breach.

More worryingly, 70% of executives surveyed did not fully understand the
risks associated with a data breach.

The survey also found that even when a data breach has occurred within an
organisation, 65% of IT practitioners would modify or filter reports about
a security incident.

It is therefore likely that many CEOs, directors and other corporate
leaders are in the dark about the state of their organisations’ breach
preparedness.

This statistic highlights the importance of staff working as a team to
create the most robust data protection system possible, rather than simply
expecting it to be taken care of.

In 2014 alone, this knowledge gap and lack of preparedness resulted in 38
UK organisations incurring average costs of £3.56 million each due to data
breaches – with individual costs ranging from £544,964 to £14 million.

With the risks of data breaches on the increase and security growing ever
more vital, it is now more important than ever for senior business leaders
to work closely with IT functions within a business.

IT professionals have pressure from senior leaders to quickly find and
implement a solution to an IT issue. But this traditional, reactive
approach won’t work any longer.

As the threats faced by businesses become more sophisticated, data
protection systems must also improve and be ready for a breach before it
occurs.

To achieve this, senior leaders and IT professionals now need to work more
collaboratively and transparently together.

In doing so, they can devise security solutions that are ‘tailored’ to
their business, allowing staff to carry out their job to a high standard
whilst minimising the risk associated with a data breach.

This will ultimately place a business in a position that better protects
its brand, reputation and data.

Whilst implementing solutions that prevent data breaches is critical,
research by the Ponemon Institute also suggests that almost 50% of those
surveyed were unclear on an incident response plan should a data breach
occur. This is an area that needs to be jointly addressed by business
leaders and IT practitioners.

For any business looking to implement an information security programme,
here are three key pieces of advice:

1. You can’t embark on a project like this alone

If you have no experience of information security management then bring in
a consultant - there is no substitute for the knowledge and skills that
they can provide. A consultant will not only perform an initial Gap
Analysis but can also implement a skills transfer programme to provide
staff with essential knowledge moving forward. Alternatively you could
recruit a person that has this knowledge to be an ‘in-house’ expert.

2. It’s vital that the entire senior management team understands the
purpose of the programme and has the ability to input

Without their buy-in, the programme will never be 100% effective.
Similarly, if staff do not adhere to policies and procedures that are
implemented data could still be at risk.

3. You need an individual who is going to drive this initiative through the
organisation

Depending on the size of your business, this could be a full or part time
role – but one person has to be on hand to continually update documentation
and ensure people are engaged with the programme.

Staff ‘buy-in’ is essential to making the programme a success and this
buy-in will come from knowledge and understanding of why the new
initiatives are necessary.

IT functions will continue to face an increasing number of challenges in
the coming years. The lines between IT and other functions in an
organisation are now becoming increasingly blurred.

It is therefore of paramount importance that all involved proactively
collaborate and co-create, resulting in the very best system for that
specific organisation. For this to truly happen, it must come from the top,
so the initiative can feed down into every area of the organisation.

Business leaders must understand the importance behind a company’s data and
how they will protect it in the long term. After all, it is surely better
to have a reputation for excellence than a company that has faced a data
breach.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!