When Queensland Police made the unusual step of issuing a warning to businesses about IT security recently, there was a collective shudder among IT professionals. In this instance, systems had been hacked and the family of a staff member had been targeted, a seemingly new tactic. A large ransom was paid in Bitcoin currency, notoriously hard to trace.
While not every breach makes headlines, PWC research showed there were 42.8 million security incidents globally in 2014, a huge 48% increase over the previous year. These incidents can potentially be incredibly expensive, and the response from the business involved largely determines the ultimate cost.
Of course, the ideal scenario is not to have any security breaches, ever. Though, the ‘what if’ scenarios are an important discussion to have beyond the IT department. After all, if even the US Department of Homeland Security, with its immense resources, can be hacked, it doesn’t hurt to have a contingency plan. The right plan and systems in place can not only make you a far less attractive target in the first place; they can help to prepare you to deal with problems swiftly and far more safely.
So why are there so many incidents? A squeeze on information security budgets was noted in the PWC study, but that was far from the only challenge. Employees and trusted third parties are among the key culprits, whether intentional or otherwise, with many organisations lacking processes to deal with such incidents. Of course, even when your own systems are generally secure, if the third parties you do business with do not match that attention, there is potential for compromise. For this reason, we can expect organisations to follow the lead of major financial brands like Visa to increase compliance demands.
Fortunately, most businesses don’t attract the same level of attention as Homeland Security, but targets like customer, financial and employee data certainly carry significant value. It isn’t all doom and gloom though. Mobile device security has improved, risk awareness among non-IT business leaders has increased, and larger organisations at least are getting better at collaborating on security issues. Notably, while the overall cost of data security incidents has increased, those who’ve made and tested plans have fared far better than those with limited plans in place.
Our security experts work with many organisations to increase their resilience. They recommend externally tested, regularly reviewed security plans and procedures. This should involve not only the IT team but also managers from other disciplines including finance, HR, public relations, customer relations and legal. Compliance can and should be assessed as part of each review, to make sure legal standards are met and third-party risks are considered.