Today, cybercriminals are working around the clock to create and deploy new threats as fast as companies can react to them. Hacking and theft of intellectual property is becoming more prevalent and costly. Unfortunately, while threats are on an upswing, it has been reported that corporate spending on cyber-protection has decreased. According to the “Global State of Information Security Survey 2015” conducted by PricewaterhouseCoopers, respondents in 2014 reported that the number of detected incidents soared to a total of 42.8 million, or a 48 percent leap over 2013, with financial losses increasing 34 percent over 2013. Security spending actually declined last year, reversing a three-year trend. The average information security budget dipped to $4.1 million in 2014, down four percent from the $4.3 million average spend in 2013. In order to maximize the chances of repelling an attack, it is incumbent upon organizational leaders to focus on staying ahead of the curve.
Elevating the security of an organization must first acknowledge the fact that it is not just an IT function. Because a data breach can be so devastating, all functional areas within a company must be intimately involved. Compliance with legal and regulatory requirements along with their accompanying fines is one thing. Loss of credibility, loss of trust and destruction of a firm's brand are other potential repercussions that reach far beyond the IT department. The average cost to a company for a data breach was $3.5 million in 2013, according to the “2014 Cost of Data Breach Study: Global Analysis” by Ponemon Institute. Target's brand lost $1 billion in value after its hacking incident was made public, including a 35-point reduction in value of its brand on the Brand Index scale days after the attack.
This should be a concern to all organizations, large and small. If large corporations such as retail entities or banks are being breached with relative ease, how much more vulnerable is the average company? Here are four commonly overlooked areas that companies can examine to immediately raise their security profile.
First, don't overlook internal threats. The people you trust the most may be misappropriating sensitive data for their personal gain. Organizations face the challenging task of balancing openness and trust with privacy and protection. Yet a data breach could be one USB drive or misplaced laptop away from occurring. Ensure that part of the onboarding process for new hires includes detailed information on the company's security policies, along with the potential repercussions for violating them. Most just sign the obligatory compliance form and forget, consider having reminders a regular part of annual performance reviews.
Second, it may seem obvious to state, but compliance requirements must be a top priority for chief information officers and chief security officers. Corporate officers and organization leaders need to realize that all networks are at risk and represent immeasurable amounts of liability to their organization. Compliance requirements vary significantly according to industry type as well as sensitive data type. The alphabet soup of regulations such as PCI, PII, HIPAA, SOC I, II, and III as well as FISMA are just a few examples. Ensure strict adherence to correct protocols by bringing in experts in each area to do an honest risk assessment.
Third, be continually on the lookout for innovative technology which can help secure and protect sensitive data. While the stats may look bleak, private industry is hard at work finding new ways to plug the biggest gaps in security, such as the use of MicroTokenization to encrypt data all the way down to the byte level. Traditional network security defenses, standard encryption and firewalls are commonly used techniques that may not be adequate to combat sophisticated threats.Last, take a good hard look at your email security protocols. Considering the amount of confidential information transmitted by email, all email communications must be locked down with platforms that do more than encrypt the transmission. Most encrypted email systems are only designed to protect data in transit and do little or nothing to protect email data that is at rest. Once an email is sent, sensitive data remains open and unencrypted on individual devices that receive the email. Once the receiving party receives and opens an encrypted communication, the data is then open, unencrypted and available for exploitation.