Confidentiality Concerns? Understanding the Costs and Threats
When it comes to cybersecurity concerns, the fear of data being disclosed to unauthorized individuals is arguably the biggest cause of insomnia for CEOs. I previously introduced the security triad, the framework for a resilient information security program. The first part of the triad is confidentiality, and it’s a big one: What if YOUR organization is the next to have high-level proprietary data stolen? To have payroll data accessed by an unauthorized employee? To have sensitive customer information exposed?
Don’t think your business can’t be a target for cyber criminals. Any organization that uses the Internet or stores personal or confidential information in an electronic database or in the cloud is vulnerable. Of course, you would never knowingly put your customers (and your business reputation) at risk, but lax IT security practices may jeopardize your customers' sensitive information and expose them (and your organization) to potentially crippling damage.
The Rising Cost of Data Breaches
According to the Ponemon Institute, the per capita cost of a data breach has been increasing significantly, from less than $201 in 2014 to $217 in 2015. And that number is likely to increase again this year.
Some industries see a far greater cost and risk. According to the Ponemon report, heavily regulated sectors such as healthcare, pharmaceutical, financial, energy, transportation, communications and education tend to have a substantially higher per capita data breach cost. Regardless of the size of your business, the industry you are in—and the level of regulation to which you need to adhere—will more than likely determine the size of the risk and the financial impact of a data breach or loss of confidentiality.
Total organizational costs are also increasing. Ponemon reports that total costs rose 11 percent in 2015 even though the total number of records lost to data breach only grew by 2 percent. Organizations are investing in more robust programs and technologies, hiring more security professionals (internally or externally), buying cyber insurance for the first time, and implementing reputation-saving marketing programs and customer-protection programs like free credit monitoring.
The Myriad Threats
Experts agree that the trend in damage, cost and risk related to data confidentiality is only going to continue to grow, because would-be attackers evolve along with the technology. Let’s look at some of the trends that could expose your business.
Phishing: Organizations may have robust defenses against traditional hacking, then become the victim of a breach after an employee unwittingly falls for a scam and provides credentials needed to give an attacker access to your data. “Whaling,” a phishing attack targeting a C-level employee, is expected to increase, as senior management employees by definition have access to more valuable organization data and may not be up to date with security awareness training that was mandated for lower-level employees.
Big data: The more data touchpoints and the further we are from the data itself present new challenges to the confidentiality our data. We need to think about security at each point, from collection, such as a POS device (this is where Target was exploited), to storage in the cloud (managed by a third party). Your own security may be robust, but what would happen if the provider hosting your data were compromised?
BYOD and IoT: Bring Your Own Device (BYOD), in which organizations allow employees to use their own devices for business, has helped cut hardware and service costs. But it has resulted in an increase in vulnerable access points to your organization’s confidential data. Likewise, the Internet of Things (IoT), in which more online devices provide efficiency and value-added functionality, also increases the number of potentially vulnerable end points. Think about the rise in wearable devices, especially in healthcare. In its Research Predictions 2016, Forrester sees this as a major threat:, “In addition to attacks at the device collecting the data, determined attackers will target the data analysis engine stored in either private or public cloud and medical data centers. The result of a compromise at this link in the data chain could be catastrophic; in this scenario, data for every patient in the hospital is held ransom.”
EMV (Europay, MasterCard and Visa) chip cards: Last fall, U.S. credit card issuers began issuing EMV-compliant cards, which store data on an integrated circuit rather than on the traditional magnetic strip. Though this is intended to reduce certain types of fraud, the advent of new technologies presents cyber criminals with new avenues of attack, with CNP (card-not-present) fraud being just one example.
Protect Your Data—And Your Customers
The critical first step for organizations to take to protect data is to follow the simple rules of access control and encryption. According to the 2015 State of File Collaboration Security report, more than 80 percent of organizations surveyed experienced an internal data security breach through leakage incidents‚—usually involving inappropriate document sharing both inside and outside the organization. All the expensive defense systems you can buy will be useless if a breach occurs because of lax internal IT practices.
Access control: Make sure your assets are not accessible to unauthorized users. Require users to authenticate, and then access may be granted based on their proven identity. Setting the default to deny access and using RBAC (Role-based Access Control) are the simplest ways to ensure that only employees at certain levels of trust have access to confidential data.
Encryption: Any data accessible or sent across a wire without users having to prove their identity should be encrypted so it is not readable to an unauthorized user in the event it’s stolen or intercepted. There is simply no excuse for leaving any confidential data in plain text.
In addition to access control and encryption, protecting data involves protecting every device and following security best practices. This means:
Protecting Your Reputation
Let’s go back to what can be the greatest impact on your bottom line: your reputation and your customers’ loyalty. Some relatively simple practices could increase customers’ confidence in your business.
- Protect the data they give you by treating it with the highest level of confidentiality.
- Have a data retention policy. If you no longer need data, destroy it.
Though the threat of data breaches is a cause for concern, understanding the risks and costs, and implementing a strategy based in security best practices, can help ease the worry for business leaders.
Next, I’ll tackle the second part of the security triad: loss of integrity, when data or an IT system has been modified or destroyed by an unauthorized entity.