Data security is one of the most talked about, yet least understood, areas of risk management. Unfortunately, far too many companies spend most of their time and energy in the wrong areas, leaving the organization open to massive legal exposure. The risk of a data breach is quite real. Hundreds of examples have been publicized since 2005, exposing more than 90 million private records — not surprising in an age where enormous amounts of data can easily be carried on miniscule USB drives.
If you think data protection isn’t an issue for you, think again. Privacy regulation is no longer simply the concern of hospitals and retailers, nor is identity theft a problem only for consumers. Negligent treatment of employee information can now result in significant fines and/or litigation, upping the ante considerably.
Even worse, most business insurance specifically excludes data breaches from coverage, leaving the company completely exposed should a breach occur.
Maybe you think this is not a problem because you have a great firewall. Wrong again. The FBI and Secret Service estimate that up to 80 percent of data breaches can be traced to insiders, who may act knowingly or unknowingly, indicating that the traditional focus on firewalls is misguided. Most IT organizations spend 80 percent of their data security budget protecting against external threats, completely failing to address the biggest source of risk.
Operational versus organizational risk
So where are the “right” places to focus attention and budget? The answer lies in understanding the difference between operational risk and organizational risk. Operational risk is the traditional focus: keeping data from being hacked or misused, building “big walls.”
Organizational risk takes a top-down approach to security, including legal ramifications related to a data breach. This includes litigation, bad media exposure and potential long term financial losses. Here is the real risk. This is the elephant in the room for companies who continue to view data security as an IT responsibility, rather than a C-suite business issue.
To illustrate the importance of organizational risk, think about the importance of building a recognized and respected brand. If you are like most companies, you have spent your entire history, not to mention tremendous sales and marketing dollars, trying to build a reputation with your customers. Each time a data privacy issue is exposed, negative press not only can, but will follow. The company may incur fines and regulatory penalties. Studies have demonstrated that publicly traded companies involved in negative media coverage regarding a data breach register a decline in market capitalization of up to 24 percent for at least a year.
The good news is that while the risks are both real and growing, improving your defensive stance can be quick, if not easy. The key to successfully addressing data security risk comes down to changing your perspective, looking at the business problems, rather than simply the “IT” problems.
Develop a data security plan
The first step is to have a written data security plan in place. This is critical for a legal defense, but an amazing number of growing companies have never taken the time to produce a plan. When developing a data security plan, take the time to think about the full scope of digital assets, including customer data, sensitive employee information and corporate proprietary data. Then consider the governance structure surrounding this data. Are processes and procedures clearly defined and communicated? If the staff that you have managing this area has been “learning as they go,” this is a good time to bring in a security expert for a few days to make sure you address any weaknesses.
Even more importantly in today’s litigious environment, have employees received written communication regarding data security policies and procedures? Developing and implementing a thorough and ongoing program will vastly improve the organization’s level of risk in this area. Remember, every member of your organization is part of your security team.
Smart organizations take it to the next level by defining an oversight function for governance of the new plan. The oversight committee is responsible for aligning risk management planning and turning it into policies that can be implemented. Ideally, there is at least one security expert on the oversight committee. This group also tracks changes in assets and vulnerabilities, updating the plan and procedures as necessary.
The next time you see a headline about a breach, which shouldn’t take long, read the article. I think you will see what I mean about organizational risk and focusing on the business issues rather than only on the technology issues.
Bill Huber is a Regional Practice Leader for Tatum LLC and head of Tatum’s National Risk Management Solution Team. Tatum is the nation’s largest executive services firm, providing financial and technology leadership nationwide.