So Many Breaches…What’s Being Done?
It seems that every day we’re hearing news of a new vulnerability or breach that is compromising data. Will this ever end? Unfortunately, no – it’s the nature of security. Attackers will always try to acquire sensitive information, increasingly for financial gain.
Many information security professionals are working behind the scenes to protect this data, but their efforts can be hindered if they aren’t working with the proper budget needed to implement sound policies and procedures. It can be hard to obtain the needed funding from senior management when it isn’t tied to a direct ROI. However, doing nothing is not an option. As we have seen in recent news regarding major retail breaches, management and corporate boards are no longer immune to the consequences of poor oversight and will be held accountable for their decisions (and in some cases will lose their job or could even serve prison time for negligence as a result).
All organizations have a responsibility to their clients to do everything they can to secure information. This responsibility will continue to grow as more and more institutions continue to gather more and more data.
So, what can be done to protect against and mitigate the damage caused by information exploitation?
Organizations must fully understand the issue. The first step is to do a risk assessment of your business. Information classification and control can help organizations by beginning to assign responsibility and oversight – but this alone is not enough. Organizations must invest in the human capital to manage these functions. Every organization has its own environment, making it essential to fully understand the issues, organization, and business application of critical assets – and most importantly – the human resources dedicated to the protection of this information.
We must be willing to invest in the resources to properly protect this data. Perhaps legislation is required, but before we expect the federal government or even state houses to provide guidance, we need to increase the amount of money being spent on these efforts. Organizations have a fiduciary duty to their clients, employees and stakeholders to protect their information.
How do we do this?
By justifying these efforts to the holders of the purse strings and documenting the decisions of management. When organizations act in a transparent fashion and parties are held accountable to the outcomes – there is more at stake from an individual’s standpoint and the liability can push change forward. Eventually these efforts will increase the amount of data protection employed by organizations and thus, reduce the amount of exploited information.