“Mind the gap” is a phrase many have heard as they navigate the London Underground. Those in the UK know it to mean “mind the gap between the platform and tube trains,” but those in the U.S. should take it in a different way.
According to Massachusetts-based IT security firm BitSight Technologies, there is a very real perception gap between how secure organizations believe themselves to be and how secure they actually are. This gap creates a false sense of security. While organizations can cling to their “security blankets” as long as they want, the imminent threat of a data breach looms nearby. What will it take to change the game and thwart a disastrous data breach? Awareness, acceptance and adoption.
Awareness
While BitSight’s CTO Stephen Boyer believes that organizations want to improve upon their security measures, but oftentimes lack the data to drive improvements, we believe a deeper level of awareness is needed. Here are two important data points to be aware of now:
- Nearly 75 percent of security breaches come from within a business’ own network.
- 25 percent of employees would sell company data, risking both their jobs and criminal convictions, for less than $8,000.
Those are hard numbers to ignore, especially when the cost of your company’s data in the hands of employees comes at a staggering low price. Here’s another data point to note: The Identity Theft Resource Center reported on a total of 435 data breaches exposing more than 135,000,000 records to date this year. With five months left in the year, this is on track to surpass last year’s record high of 783 breaches. It’s clear – the number of data breaches continues to rise year over year, yet if many organizations still believe themselves to be secure, shouldn’t that number be on a downward trend? As Boyer states, it goes to show how important it is to address the perception gap.
The healthcare industry in particular is taking an ostrich’s approach to the threat with 35 percent of the data breaches this year occurring in this sector, second only to the business sector. According to Experian, the potential cost of breaches for the healthcare industry could be as much as $5.6 billion annually. That’s a steep price to pay for an issue that can easily be avoided by first accepting that your organization is not as secure as you believe and next deploying the right solutions to arm yourself against internal and external threats.
Acceptance
Once an organization is aware of the possibility of a threat, they must accept the potentiality of risk and identify their weaknesses. Sometimes the biggest threat to an organization is the person sitting in the cube across from you, much like we found in our recent Insider Threat survey. By running a risk analysis or security audit, you can gather data on any vulnerabilities that pose a threat to sensitive and confidential company information, whether they come from within your organization or externally. While one of the security perception disconnects found by BitSight was measurement and the inability to unearth these holes because of lack of data, organizations will come to find that focusing on two things – the data you have control over and the security measures you have already put in place – is ample enough information to take the next step.
Founder and CEO of Tresorit, Istvan Lam, advises you to ask yourself: “What is the most sensitive, confidential data that our business holds, how is it handled, and who has access to it?” You can then create a spreadsheet matching data types and services to the employees and business associates who can access them. He further stresses to make sure to include the two most sensitive types of data: customer information and intellectual property. From there, document the current protections in place for web security, email security, etc. and map out what still needs to be set up. Both of these tactics should be relatively easy to accomplish and will probably reveal more holes than you think. But then what?
Adoption
Boyer said, “The best organizations at IT security are those that excel at the basics.” So it’s back to the basics we go. Make sure to adopt security solutions that not only align with your existing business solutions but address the elemental needs that ensure a secure organization. One such need is a proactive approach to critical information protection. By deploying a solution that prevents sensitive data from inadvertently being shared outside or within an organization, as well as mitigating inbound targeted attacks, you are allowing your organization’s communication to continue unhindered and avoiding the delay of valid business communications.
Once you have adopted the right technologies, you will need to walk your employees through the three stages of awareness, acceptance and adoption, as well. This will educate those who are on the front lines on the risks posed by themselves and malicious outsider threats. In fact, our recent Enemy Within survey found that 48 percent of organizations believe educating users about the dangers is important in managing their IT security threats. Don’t stop the learning process at the top. Funnel the information down throughout your organization. This will get us closer to not only minding the gap, but closing the gap completely.
To prepare and protect your company against a data breach, we will be taking a look at insider threats over the next few months. Check back on our blog for new research and resources that will provide your company with essential insider threat intelligence.