The recent massive and highly publicized data breach of national retailers, coupled with last year’s disclosure of the National Security Agency’s widespread surveillance of the general population, has people thinking about the security of personal information they give out during their daily lives. Businesses of all sizes also need to think about how vulnerable their “personal” information is.
What is a business’s “personal” information?
It is the proprietary information that provides them a competitive edge: strategic plans, financial and profit margin information, new product research and development, engineering drawings for products, and the like.
The last decade has seen a radical shift in how businesses compile, store and access these company-critical informational assets. Technology has made it easier and faster to do more things, and to bring more things with us when we travel.
A smartphone can allow an employee to carry 64 gigabytes of information in their pocket: that’s enough to hold more than 22,000 photos, or more than 128,000 books.
More and more, employees want 24/7 remote access to their work applications so they can carry less when on sales calls, work from home, or travel lighter when meeting with outsourcing vendors. The Internet facilitates transfer of files to strategic partners quickly, cheaply and easily.
But that access and interconnectedness has a cost: cybercrime. The Commission on the Theft of American Intellectual Property has estimated businesses lose up to $300 billion a year as a result of the theft of trade secrets alone.
If a business loses its customers’ personal information, the data breach costs average $188 per stolen record—that adds up fast when one considers the average data breach involves nearly 29,000 records, according to the Ponemon Institute, a nonprofit that conducts independent research on privacy, data protection and information security policy.
Because we generate so much data on electronic devices, and we interact with it more readily, gone are the days when a business can simply silo its information and keep others out.
Nowadays, if someone wants to hack into your system or get copies of your top-secret blueprints, they can do so in ways that were not possible 10 or 20 years ago.
Not just mega-companies
You don’t have to be a mega-company to be at risk. Risks posed to organizations’ operations are not uniform, in part because the technology and means used to gain unauthorized access to electronic data changes rapidly.
Some of the most successful attacks leverage off of the human link, using social engineering to gain access to passwords or harvest small packets of information that, once put together, provide a full copy of sensitive competitive information.
Smartphones can be scanned and pilfered for sensitive information when in Bluetooth or Wi-Fi mode.
American travelers abroad are easy targets for computer theft or tampering to enable copying of sensitive files. As a result, the very tools that virtually every business relies upon daily to operate, and the way employees interact with those tools, introduce risks that threaten the company’s ability to continue to operate.
The response? Cybersecurity.
What is cybersecurity? According to Merriam-Webster’s dictionary, the word cybersecurity was first coined in 1994 and refers to “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.”
The federal government is quite concerned about losses sustained by American businesses each year as a result of cyber-crimes, particularly those businesses in critical infrastructure industries like energy, health care or agriculture/food distribution.
That is why, last year, the National Institute of Standards and Technology (NIST) was charged with creating a cybersecurity framework, which it delivered in mid-February (read it at www.nist.gov).
Though some may have feared a new wave of government regulation, the framework does little to add to already existing standards when it comes to the nitty-gritty of securing electronically stored information.
The NIST Framework provides guidance for businesses to identify, protect, detect, respond and recover business-critical information that is susceptible to cyber-attacks and theft—from people within or outside a business. When an organization performs these five core activities, it will gain a high-level, strategic view of how it manages cybersecurity risks.
Using the framework’s tiers and profiles, that knowledge can then be used to identify goals for managing cyber risks, and create a road map to help get the organization there.
By using the framework’s assessment process (identify, protect, detect, respond and recover) and gap-analysis tools, organizations can also better educate their employees and business partners on the importance of cybersecurity and how best to achieve it.
Be proactive
The threat of losing valuable corporate data and competitive information to hackers, internal or external, is too real to take an “it can’t happen to me” approach.
Executives at companies that have been compromised by theft of their competitive information or customer data surely wish they had been better prepared, and they will be in the future. But no one can afford to protect everything from people who are bent on stealing corporate know-how and intellectual assets.
One of the best ways to protect your company is to have your eyes wide open, take an honest look at your business processes, and determine what proactive, affordable steps you can take to better protect your most valuable assets—whether they are drawings, marketing plans, financial information, customer data or proprietary know-how.
