Information and data are critical to gaining a competitive advantage in today’s marketplace.
As a result, businesses are increasingly subject to costly information theft and data loss.
These thefts disrupt operations, lead to the direct loss of critical information assets, and expose businesses to costly lawsuits and investigations.
Businesses can best face these challenges with a well-planned portfolio of administrative, technical and physical safeguards to protect information assets.
Every Business Has Information Risk
The news headlines would suggest that only the largest companies experience data breaches.
But the reality is that every single business is at risk for information loss. In fact, as many as 90 to 95 percent of data breaches occur at businesses with 1,000 or fewer employees.
Businesses are not immune from information theft just because they are in a particular sector. About 15 percent of all data breaches affect retail and consumer businesses.
About 25 percent of breaches affect the financial sector. And, about 12 percent of breaches have affected manufacturing and logistics.
The remainder, almost one-third of all data breaches, affect information services and professional services firms.
The threats to information assets also are very varied. Cyber-attacks, including hacking, have caused approximately 30 percent of all data breaches. But 10 percent of data breaches are caused by intentional insider theft of corporate information assets.
Businesses also face substantial exposure from data breaches caused by simple mistakes and negligence.
The second most common cause of data breaches, after cyber-attacks, is vendors and other third-parties with access to corporate IT systems.
Negligent employees and misplaced electronic storage devices (such as laptops and flash drives) are also the cause of significant numbers of data breaches annually.
No organization, no matter how large or small, is immune to costly information theft and data loss. The challenge is how to effectively assign the limited resources available to fight the threat that data breach and information loss presents.
Diversifying Your Security Portfolio: A Critical Asset Protection Plan
Like any effective risk management program, businesses can make the most of their resources by employing a portfolio approach to information risk management.
In a traditional investment portfolio investors cannot predict how the market will move and, therefore, manage risk by diversifying investments that balance strengths and weaknesses.
Information management can be approached similarly, employing a range of strategies to complement each strategy’s strengths and weaknesses.
Although often identified as a technology problem, technology will not solve all information security problems. In fact, it can often cause more.
An effective information security portfolio instead starts with identifying the information most valuable to the business, and then engaging the employees using that information.
Next, invest in the policies that will protect the information without compromising operational efficiency.
Technology should be deployed only at the end, and then to mitigate the risks that employees and administrative policies alone cannot.
Related Article: PCI Compliance: What It Means to Your Digital Security
Your Risk Profile: Identify Critical Information Assets
Everything begins with identifying what information assets are critical to the business.
A critical information asset is information that, if lost, damaged or stolen, would cause irreparable harm to the business.
For some businesses, critical information assets are formulas, proprietary designs, and other product information that gives the business its competitive advantage.
In other businesses, these assets may be marketing strategies or pricing models.
For others it will be customer payment information or other regulated information which, if compromised, would create liability and destroy your brand and reputation.
The essential question to ask when identifying critical information assets is the business’ exposure if the information is compromised or stolen.
This includes an assessment of the impact on revenue and income, operations, legal liability and regulatory risk, and indirect costs such as brand reputation.
Buy and Hold: Engage the Employees Most Engaged With Your Information
One of the best hedges against information risk is another critical asset: the employees who use the information on a daily basis.
The employees who use the information on a regular basis are best able to identify both vulnerabilities and how operations will be impacted by proposed security measures.
They are also essential to implementing whatever security plan is developed. Therefore, engage these employees immediately and consistently throughout the process in order to develop a security plan that is effective and compatible with innovation and the business’s culture.
Diversify Your Portfolio: Policies & Procedures
Policies and processes to control the use of the critical information asset is the next element in a diversified security plan.
The policies must be realistic and enforceable. But they must also take into account how the information adds value to the business’ operations.
Policies should define the community accessing the information, the channels in which the information can move, and the content that is subject to the policy.
For example, a policy protecting proprietary product designs may limit access only to the design team, restrict the designs’ transmission to only internal corporate email, and apply to specific file types but exempt others.
Related Article: The Security Risks in Social Media: Interview with Joseph Steinberg
Rebalance Your Portfolio Automatically: The Role of Technology
Technology should be the final element in the critical information asset protection plan. Technology can police the threats that your employees and policies cannot.
Too often, information security begins with purchasing too much technology that is too expensive and too detailed. This can leave the business awash in technical reports that obscure information about potential threats.
Adding technology later in the security plan allows limited resources to be used where they will add the most value.
Small and mid-sized businesses are equally if not more vulnerable to a data breach or other catastrophic information loss as large companies.
Protecting business information assets can be accomplished with a diversified approach that deploys resources strategically and does not compromise innovation and operations.
The key is to focus on the people and processes most relevant to those information assets, and employ technology wisely to reinforce your plan.