Information insecurity: businesses not ready for cyber crime wave

Deloitte survey shows lack of confidence in stemming enterprise data theft; but weaknesses can be overcome.
Written by Joe McKendrick, Contributing Writer

Most, if not all executives and managers care a great deal about the security of their data. And most, if not all, would do what it takes to prevent or stop the data from being stolen or compromised.  So why is data security such a big problem?

The problem is that there is so much data residing in so many parts of the organization, on so many machines, that even the most conscientious manager doesn't have a grasp of what's sensitive, or what's secure and what isn't. A lot of data might be out at vendor/partner sites. Add to this confusion is a global underworld of hackers that are constantly trying to get at valuable data for resale.

So there's a lot of work to be done, according to poll results just released by Deloitte. In fact, fewer than six percent of respondents polled during a recent Deloitte Webcast on the topic were “highly confident” that enterprises have sufficient controls in place to minimize the occurrence of cyber crime. In fact, almost 40 percent of the 1,600 poll respondents are “not confident” in controls implemented by enterprises.

There are costs and impacts that ripple through the entire enterprise as a result of a security breach, John Clark, partner in the security & privacy services practice at Deloitt, says in the Webcast. The financial impact alone is an eye-opener -- he cited estimates from the Ponemon Institute that put the average cost of a data breach at about $202 per record. In total, that results in total average loss ranges of between $613,000 to $32 million per incident, he relates.

Why are the costs of a data breach so high?  "A large portion relates to lost business," Clark explains. "There's also the time and energy to respond to those incidents.  There's the  notification that's required to customers and others. … There's also an impact from a compliance standpoint, and regulatory requirements. These types of breaches may lead to regulatory enforcement action from the Federal Trade Commission, state attorneys general, or others."

Then there's the operational impact -- a single major security breach "has potential of impacting almost every area of your business," Clark relates. "What you tell your customers when they call in and ask questions. You may need to initiate marketing campaigns targeted on supporting the customer. When their information is breached, it breaches that level of trust that you had with your customer. Then there is the public relations standpoint -- you may have a sticky situation with the media."

Add to all this the "costs of information technology, people and re-mediating, responding and reacting to the incident, versus working in a strategic area that would add to revenue to the business. Then there's the question of what your going to tell your employees and what you're going to tell your salesforce when it interacts with your customers."

When asked what their experience was with respect to cyber crime, the majority of participants (68 percent) responded that they have received phishing e-mail messages and 12 percent of respondents reported their organizations have been targeted by cyber criminals. Participants believed that the type of information senior management in their organizations was most concerned with cyber criminals gaining access to, as it pertains to being vulnerable to attempted breaches of electronic information security,  was customer personal information (38 percent), financial information (22 percent), followed by intellectual property or business plans (12 percent).

The threats keep growing, and there is an entire underground global economy that deals with the buying and selling of hijacked data. This underworld is so huge and pervasive that it's beyond the reach of law enforcement, Clark and Webcast co-presenter John Kula, director in the forensic & dispute services practice of Deloitte Financial Advisory Services, point out.

What's a company to do then, to keep data as secure as possible? The first step is to get an understanding of what and where the valuable data is in the organization, Clark and Kula advise. "One of the most common things we run into in organizations is that if you ask the question of 'do you know where your data is?' there isn't anybody who has a good view of that," says Clark.  "The IT departments should know that, but there is now a lot of information that is user-driven. We just see a lot of cases that companies don't know where their most sensitive information is."

Clark and Kula say it's important to prioritize data to get an understanding of the parts of the data infrastructure that are the most sensitive.  "Look at your information assets, Clark says. "Number one is focusing on priorities. You want to understand what the risks are and prioritize and focus on the most important things.

Education and skills training is also essential. Clark urges enterprises to join and collaborate with industry associations to share security knowledge and concerns. Training can go a long way in today's economic environment, in which staff are expected to do more with less, Kula observes. "If you think about the economy, with layoffs and cutbacks at the same time incicents are increasing exponentially, people are literally overwhelmed with all of their responsibilities."

Clark and Kula also recommend having contingency plans in place for when incidents happen.

Also, some very simple steps can go a long way as well, such as making sure users change their "administrator" passwords.

(Image: CBS)

This post was originally published on Smartplanet.com

Editorial standards