Most organisations have a pretty good sense of the potential fallout from security breaches. However, the truth is that data breaches are growing in number, and the financial cost is growing too. The average cost of data breach has nearly doubled in the past five years, from $6.46 million in 2010 to $12.9 million today*.
Stuart Mills, regional director, ANZ, CenturyLink, said, “The costs aren’t just monetary. Organisations must understand the other risks including damage to reputation and leaked intellectual property. Customers and users place an enormous amount of trust in the companies with whom they do business. A single breach can damage that trust forever. And, if intellectual property is leaked it could sound the death knell for any organisation.”
“Today, security isn’t just about basic monitoring services. Companies have far more to consider than they once did, particularly because of the rise of new technologies and business-use scenarios, like cloud and BYOD. Instead, security is a holistic approach to protection, prevention, and response, and it needs to encompass all aspects of technology.”
What organisations should consider when implementing, updating, and enforcing their security policy:
1. External threats: The sheer number of external threats is growing, and there’s absolutely nothing we can do about it, other than maintaining constant vigilance through a security policy that is constantly updated and enforced. The speed at which threats are increasing is exponential. For instance, there are millions of malware variations that enterprises must defend against, but it’s difficult for signature-based malware to keep up.
There are more distributed denial-of-services (DDoS) attacks than ever before, and they vary widely; they can be highly targeted or generic, long in duration or short. And they mutate; there’s a new breed of DDoS attacks that use Web servers as payload carrying bots, which makes them even more damaging because of exponential performance increases.
And then there are application attacks, often targeted at financial systems, which can bring a company to its knees. What’s even more problematic is that most organisations have already been breached—they just don’t know about it.
2. Internal threats: Employees often leak data because security policies are not enforced. External threats are real and dangerous. But internal threats can be just as common and just as damaging. Internal threats are often inadvertent, stemming from a lack of oversight as well as from disgruntled employees who leak sensitive data right after they’re fired.
3. Untrained staff: When it comes to security, one key oversight is lack of training. It’s imperative that employees know what the security policies are, all the way from what devices they can use to what applications they can download.
4. Shadow IT: More organisations are struggling with shadow IT, which is the use of hardware or software that is not supported or authorised by an organisation’s IT department. Shadow IT can range from developers using various Software-as-a-Service (SaaS) platforms to employees storing corporate data in cloud storage solutions like Dropbox or Google Drive. These solutions seem innocuous to most people, which is why employees need to receive comprehensive training about what is a security risk and what isn’t.
5. Compliance: If your organisation isn’t compliant, it’s unlikely to be secure. Consider whether the organisation would pass a compliance audit for security and Payment Card Industry (PCI). Complicating matters is the fact that many organisations don’t even know that governmental compliance regulations apply to them.
6. The right partners: More organisations are choosing to outsource security operations. But when it comes to outsourcing security, it’s truly a buyer beware scenario. The first step is to understand exactly what needs protection including devices, network, applications, and data. Then, determine which components of these are being outsourced. The second step is to choose the right partner or partners for those specific needs. Keep in mind that the more vendors are consolidated, the more efficient the strategy will be. Make no mistake, security is expensive. Not having security is even more expensive. But part of choosing the right partner comes down to understanding the balance between performance and cost. Choose a vendor who can help make the right decisions around balancing performance, effectiveness and cost.
7. Physical security: Physical security is the protection of people, hardware, programs, networks and data from any damage that might occur. If your physical system isn’t secure, nothing else matters. Yet physical security is one of the most overlooked aspects of a security strategy. The physical management of data centres includes security policies and procedures, security officer staffing, access control systems, video surveillance systems, standards compliance and physical security designs. Make sure the data centre complies with standards and conduct annual audits.
*Business Data Breaches Get More Expensive Each Year: The State of Enterprise Security.” Enterprise Apps Tech News. N.p., n.d. Web. 24 Mar. 2015.” Disaster Recovery Statistics. N.p., n.d. Web. 27 Mar. 2015. http://www.appstechnews.com
CenturyLink is a global communications, hosting, cloud and IT services company enabling millions of customers to transform their businesses and their lives through innovative technology solutions. CenturyLink offers network and data systems management, Big Data analytics and IT consulting, and operates more than 55 data centres in North America, Europe and Asia. The company provides broadband, voice, video, data and managed services over a robust 250,000-route-mile U.S. fibre network and a 300,000-route-mile international transport network. Visit CenturyLink for more information.