According to the Enterprise Strategy Group (“Transitioning to an Information Infrastructure,” June 2007), “While it is not found on a balance sheet, information is quickly becoming a leverageable corporate asset that has both value and risk implications.”
Most enterprises seem to have a good handle on leveraging the value side of information, because that’s what they do. They gather information and use it to make money. Typically, however, not nearly as many resources nor effort are put into protecting that information. It’s not that your typical large enterprise doesn’t do anything to protect their data; it’s just that they don’t do enough. And if something bad happens to that data, an apology just isn’t going to cut it.
This problem literally affects everyone. How many times have you filled out a form online, or opened an account down at your local bank to find yourself cringing a little when the bank officer cheerfully asks for your “social.” I know I always give it to them without arguing, but what I really want to ask them is what they are going to do to protect it and all the other personal information I’m freely handing them.
I know that if I did ask the question, they would all have a ready, and soothing, answer. I’m sure at least one of the Titanic’s passengers walking up the gangplank asked a crew member if the ship was really unsinkable. The answer would have been a firm, reassuring yes, but, sadly, it wasn’t the real answer.
I’m sure that every responsible enterprise today believes that they are adequately protecting the sensitive and confidential data they have been entrusted with. Well, the truth is – they are not.
Take a look at, DataLossDB.org. This site tells the true tale of documented and reported data loss incidents world-wide. Let’s just say, I was astounded at the enormity of the problem.
Big companies. Lots of data. Big problems. Did anyone get so much as an apology? And who is impacted by these security breaches? Everyone. Businesses. Customers. Employees. Suppliers. That’s where it gets personal.
I speak from experience because my personal information was compromised in 2006 when Fidelity Investments lost a laptop containing the personal information of 196,000 retirees and former employees. Yes, I was among them. According to Computerworld, that theft may have exposed such information as names, social security numbers and compensation details .
According to a survey conducted by the Ponemon Institute, of 700 US-based, C-level executives, managers and IT security officers in mid-size to large-size businesses, organizations that experienced a data breach incurred the following costs:
- 74% report loss of customers
- 59% faced potential litigation
- 33% faced potential fines
- 32% experienced a decline in share value
The Ponemon Institute conducted another study on the cost of a security breach and found that companies spend almost $200 per name breached. They also found that the money is spent on, among other things, lawyers, private investigators, forensic experts, credit bureaus and insurance companies.
I have no idea if the incident back in 2006 cost Fidelity $39M (I called to check, but unfortunately Fidelity is a private company). Though, I do remember getting a free year membership to Equifax and a form letter of apology. I wouldn’t have traded my personal data for those things, but at least they were sorry.
My personal ordeal, of course, begs the larger question. With the cost of a breach so high – why are there so many breaches? I am guessing because it is difficult for those responsible (yes, us managers) to effectively build the business case for providing adequate controls for our information.
A recent article on CIO.com (“Myth or Truism? Security Experts Judge,” November 10, 2008) asked several experts whether it is possible to measure the Return on Investment (ROI) for security.
It’s an interesting question. How do you effectively measure the return of:
- Ensuring that information is only accessible to the right people?
- Ensuring that information is only used in a legitimate business context?
- Ensuring that information does not inadvertently “leak out” of the corporation?
One of the experts in the CIO article is quoted as saying: “Prevention of a possible loss isn’t a gain otherwise I’d be rich from not betting on the togel hari ini!” That’s funny, but there are a lot of people who would have been much richer if they hadn’t invested in the stock or housing market. It’s exactly that kind of arrogant attitude that keeps enterprises from taking the action they need to protect my data and yours.
As I think about it, protecting information I’ve been entrusted with is simply a cost of doing business. I would not think twice about the need to install locks on my doors or deploy sophisticated network security. Neither should I think twice about the need to protect my information to ensure that my customers, my suppliers, my employees and my company’s business interests are properly protected.
How do you protect your information? Where do you start? Companies that are serious about protecting their information must:
- Make Information Management a business strategy. It cannot be treated as another IT department issue.
- Identify and classify all Sensitive Data. You need to know what you have and where you have it in order to protect it.
- Develop policies that ensure that the right people have access to the information and that the information is used in the proper business context
- Incorporate effective technology to automate these processes to keep your information safe.
Remember, being sorry is no substitute for making the right decisions.
Doug Levitt is the Senior Director of Product Marketing at Abrevity. Doug is responsible for Product Management and Product Strategy. Doug brings more than 20 years of software and high technology experience. He has a proven record of developing high quality products that exceed customer expectations.