Quick, what do Target, Sony, and Neiman Marcus have in common? Yes, all are globally recognized brands. But lately these companies share a less enviable characteristic: they’ve all experienced large-scale data breaches, resulting in damaged reputations and millions of dollars in costs and forgone revenues.

They aren’t the only ones, of course, and many others will be joining their ranks. Information security breaches are on the rise, according to the Ponemon Institute’s annual cybercrime study. And they are expensive: the average cost of cybercrime in 2013 was $11.56 million for a U.S. company, says Ponemon.

Even an efficiently handled information security incident incurs plenty of “ancillary costs,” says Marcus J. Ranum, chief security officer at Tenable Network Security, a threat management technology provider. Among them are legal bills, compliance fines, and expenses associated with hiring forensic investigators and investing in technology.

14May_Topline_p14Indeed, vendors now offer a variety of applications that can enable companies to prevent, detect, and contain computer intrusions. But there are also three simple steps that finance chiefs and their companies can take to avoid data breaches:

1. Align security with finance. While many information-security managers currently report to the CIO or the CEO, aligning security with finance fortifies the link between security investments and the company’s business objectives. “When key business decisions need to be made, this reporting structure helps ensure management makes well-informed choices to manage business risk,” says Mike Saurbaugh, manager of information security at Corning Federal Credit Union.  Finance needs to make sure the security chief has accurate numbers about what a data loss could mean to the bottom line.

2. Prioritize your data. Protecting every bit of data is hardly feasible, which is why CFOs need to rally their C-suite colleagues around the process of instituting a data classification program to rank the company’s most sensitive information in its networks. For instance, in the consumer products industry, the most important assets may be formulas, patents, and manufacturing techniques. In the oil and gas industry, it may include information about exploration and industrial control systems or operational technology. “Data classification is the most important and difficult thing for companies to do,” says Bill Dean, director of security assessments and computer forensics at Sword & Shield Enterprise Security, an information security service provider. That’s because no executive wants to rank his or her department’s data as of lesser importance, says Dean. But the CFO can help them prioritize.

3. Develop and maintain a security policy. Most large companies have acceptable-use policies that outline the ways in which employees may use their networks or systems, and what the penalties for misuse are. But Dean says many companies spend too much time on the penalties and on legal disclaimers that absolve them of responsibility, and not enough time on rules concerning sensitive data. Also, a security policy should include stringent rules about passwords; according to the 2013 Verizon Data Breach Investigations Report, 76% of breaches involve weak or stolen user credentials. It’s also important to educate employees about why the policies are in place and what effect lax security habits could have on them personally, such as the theft of their Social Security numbers.

, , , , , , , , , ,

3 responses to “Three Steps to Data Security”

  1. While these three steps are a good first start, it is possible to protect the data itself, beyond just prioritizing which data is the most sensitive and deserves the most protection. I’m the CEO of security developer Global Velocity, I have seen legacy systems that leave dangerous vulnerabilities in place, and have learned that it’s critical to also protect the actual data. Security solutions should be designed to secure data from the inside-out, enabling IT pros to pay attention to where the data is stored, where it’s going, how it’s getting there and by whose actions.

  2. Thanks for the post. Indeed good suggestions. Especially as it refers to data classification and security policies. These control elements are for everyone and not just for high risk companies and government agencies. CIO’s are responsible for data security and therefore governance and controls. Which brings me to your first suggestion, which I happen to partially disagree. The “alignment” function of IT and the business is the job of the CIO. For most sectors the CISO should report to the CIO. Only in very specific sectors, such as ISP, the CISO should be in the board of directors. But in my opinion it would be a mistake to have the CISO report to the CFO since finance only covers one part of the realm of sensitive information in a company.

Leave a Reply

Your email address will not be published. Required fields are marked *