With the IT rhetoric over the last few years so heavily dominated by the cloud and big data, business leaders are in danger of ignoring the ongoing importance of IT security. The rise of big data has meant that organisations are no longer protecting just their own data, but data belonging to other people and businesses as well. Security breaches can result in confidential data getting into the wrong hands. In today’s environment, the consequences can be detrimental to an organisation’s reputation.
Many organisations throughout this country have failed to look at IT security as something in which they need to invest. Research by KPMG has revealed that 1 in 3 executives in Britain place people skills as their number one business concern, with investment in cyber security coming in third, behind plant or machinery purchases. Worryingly, according to an EY survey, only 17% believe their security regime meets the business needs of the company.
An IT security regime, however, is not only about investing in software and security systems; investment needs to be supported by good governance and ensuring employees adhere to company procedures and safe practice to reduce the risk of security breaches.
The Cost Of A Security Breach
A recent Globalscape survey revealed that just an hour of system downtime can cost an enterprise between £150,000 and £600,000. Repercussions for a data breach can be even greater than this. According to a Websense-Ponemon report, data breaches can cost an average of £3.2 million per organisation. Therefore, investing in effective security regimes and enforcing secure procedures, backed by strong governance will in the long term pay off as the chance of an expensive data breach will be reduced.
We saw just recently that a hotel booking site, HotelHippo.com, was forced to shut down because of a data leak in which shoppers home addresses and the length of their holidays could be extracted by potential burglars. The level of lost revenue by the website shutting down completely is so far unknown, but I would expect it to be high, as it is essentially the equivalent of a shop trying to do business with the doors locked. A data breach such as this is easily avoided simply by investing in a website with effective security protocols.
The HotelHippo.com example is of course an anomaly. It is unusual for a data breach to be caused by a company failing to comply with ICO regulations. Many issues are caused by poor governance. A number of common practices are threatening the security of business data. These include sending emails across unsecured networks, the use of unencrypted mobile devices, and the use of public cloud platforms to share corporate data.
Sending corporate data using a personal email account is one of the most dangerous means to share company files. A Globalscape survey has shown that in the last 12 months, 63 percent of employees have used their personal email accounts to send and receive sensitive work documents. However, it is even more surprising to learn that 74 percent of those employees believe their organisations approve of this practice. Many personal email accounts are supported on public networks such as Gmail, which are often the target of hackers, partly because of their high profile nature and high number of inexperienced users.
Our research has also found that 63 percent of employees have used remote storage devices like USBs to carry confidential files. Transporting this confidential information via unencrypted devices is especially dangerous. Although many businesses have chosen to ban unencrypted mobile devices, according to our research, this has had little impact to secure business data.
One of the most serious dangers posed to enterprise security is the threat from consumer file sharing solutions like Dropbox and iCloud. These systems have a much higher hacker profile than enterprise-level systems, and hackers are wise to the amount of corporate data being shared on these services, along with questionable security protocols.
Although many users are unaware of this, it is stated in the terms and conditions that data can be gathered from files on their systems. This is a serious concern for businesses, as they are not only placing trust in their own staff, but the staff members of the host also. Worryingly, our research has shown a staggering 45 percent of employees have used Dropbox or other consumer sites to share confidential business information.
It is therefore critical for businesses whose employees regularly need to distribute files to invest in a managed file transfer system in order to avoid risking a data breach by storing corporate data on a public system. Combining investments in IT security with strong governance and enforcement of security policy (for example, a ban on USBs, the use of public clouds and personal emails) will dramatically reduce the risk of a data breach.
The bottom line is that it is imperative that control of data is retained, and by failing to enforce strong IT governance within the company culture and invest in security systems, IT departments will lose control of their data. Losing control will run the risk of bringing organisations out of compliance with the Data Protection Act, and a breach will be inevitably be expensive and damaging to an organisation’s reputation. Failing to invest in, and manage IT security is simply irresponsible.