It says something about our society when we've become so immune to news of another major data breach that we just shrug our shoulders and barely act surprised. Yet, the consequences of data breaches can be devastating to both the consumer as well as the business. According to the "Ponemon Institute 2014 Cost of Data Breach Study: Global Analysis", the average cost to a company for a data breach in 2013 was $3.5 million, with a $201 average cost paid for each stolen or lost record in the US.
Interestingly, malicious or criminal attacks only accounted for 42 percent, less than half, of all data breaches. The balance was because of human error or system glitches.
While larger corporations have the ability to withstand the cost of data breaches because of insurance or their cash on hand, smaller companies aren't so lucky. According to the Insurance Information Institute, about 40 percent of small business owners do not have any insurance. Would your business be able to withstand the high legal bills if disgruntled victims of a hack sued you, even if you were found not guilty? What if your intellectual property or source code was stolen?
As the saying goes, an ounce of prevention is worth a pound of cure. So it is with security. The best security is one that is multi-layered so that if one aspect fails, the entire system isn't compromised.
First, conduct a thorough audit of your existing security infrastructure and policies. The smaller the business, the less likely there are formal structures in place. But this does not reduce the importance of identifying weaknesses. Beyond just IT systems or software, it is critical to also map the flow of customer data within the organization. Identify the key systems, stakeholders and types of sensitive data that your employees deal with, whether it is customer financial information, passwords, images, legal documents or health care information.
Second, ensure that third-party vendors are carefully scrutinized. The Target breach was in large part due to a vulnerability in a third-party provider, in this case a heating and air conditioning subcontractor. Request that any touchpoints or transferring of sensitive information that involves third parties be made transparent. Consider seeking legal counsel regarding indemnity clauses or other forms of protection with your partners.
Third, with the bevy of rules and regulations in each different industry, it is important to understand the difference between "compliance" and "certified". Again, using Target as an example, they were PCI DSS compliant. That didn't do a thing to stop their massive data breach. "Compliance" sounds official but often doesn't mean much when it comes to actual security. Being PCI Level 1 "certified" is a much more stringent (and expensive) process, so finding vendors who are certified means you can be more confident in your security protocols.
Fourth, be careful with utilizing newer technology for sharing and collaboration. Google Docs might be a godsend for remote team collaboration and document sharing, but also know that the information within is scanned by Google for their advertising. Information stored on the cloud with "free" services generally have security concerns. Popular file sharing services are frequently in the news because of data breaches and hacks. Look for a vendor that specializes in security, ideally using newer technology such as MicroTokenization to protect data. Also, read the fine print. Many terms and conditions of popular file sharing services explicitly state they are not HIPAA-compliant or certified for other standards. Keep this in mind if your particular industry necessitates adhering to these types of regulations.
While the threat of security breaches can be sobering, taking a few simple steps proactively can help mitigate the threat and swing the odds in your favor, no matter the size of your business.
Steven R. Russo is Executive Vice President at Secure Cloud Systems, whose mission is protecting the world one "byte" at a time. CertainSafe file sharing is the award-winning flagship product for SCS, utilizing proprietary MicroTokenization technology to make information virtually unhackable. Learn more at https://www.certainsafe.com.