An ever-growing growing percentage of computer crimes are being committed by professional “criminals” who steal market-valued sensitive data – e.g. credit card data and customer identities. Sometimes the criminals are inside an enterprise; sometimes insiders and outsiders work together to steal and resell valuable company data, as we’ve seen recently in reports on call centre fraudsters in India and Scotland.
Corporate executives, for the most part, continue to be more “reactive” than “proactive” when it comes to securing critical corporate and customer data. When security breaches such as those of ChoicePoint, Bank of America and AOL make headlines, the mandate “keep us out of the press” is handed down to security managers. The mandate frequently carries no additional budget to deliver the security that is required for the task at hand.
The cost of security breaches has, for years, been calculated based on the direct cost of remediation. However, classic models to determine the appropriate level of security spending were developed before companies had to publish press releases whenever they had a security breach. As industry regulations and laws become ever more explicit in terms of best-practice security procedures, so do potential liabilities. Plus we must factor in damage to company brands, declines in stock price, customer loss ( and the legal and notification costs) --.This all means that adequate funding for data security measures become a recognised cost of doing business.
Even as more companies develop increasingly detailed security policies and hire compliance officers, security managers continue to report that the regulations and security policies are not translating into behavioural change. If anything, security managers report only sporadic enforcement of security policies and growing confusion related to the ownership of the data protection problem in some larger enterprises. In some organisations, there are many different departments and teams which own some part of the data security/privacy problem, with the result being difficulty in reaching decisions and deploying technology and process change.
It is time to acknowledge that security policies and technology alone, without “buy-in” by staff, and enforcement by management, will not resolve the needs for regulatory compliance, and for the safety of customer, partner and employee information. Security tools will play their role in securing sensitive data from acquisition by the enterprise until its storage and deletion. However, it remains the task of management to make real-world assessments of risks to data, how those risks are best mitigated and how these assessment decisions are promulgated and enforced throughout the enterprise. But ultimately, as I see it, the real challenge is in establishing a genuine “culture of security” where staff and management view their data resources as central to the health and success of their organisation.