Who would be surprised to see their house collapse, if it were built on sand? However, this is what many companies do when it comes to protecting their information. They stock up on technologies without really knowing what needs protecting.
This depressing situation can be due to one of two things: the environment outside the organisations, and internal causes. When it comes to the former, we can note that:
- The explosion in the volume of data being processed makes it increasingly unrealistic to hope to protect such a gigantic store of information, and we don’t even necessarily know where it is being stored.
- Mobility – much loved by users – makes the area that needs protecting extremely vague. And, lastly…
- …the exponential increase in demands for compliance means that it has become almost impossible not to get lost in a maze of legal text and regulatory constraints.
As for the internal causes, you can sum it up in just one phrase: "Business just wants to do business". For those responsible for security, involving the different lines of business in an information security project is a battle. And don’t even think about trying to do it alone….
Data is the new oil of the digital economy
These days, nothing (or next to nothing) can be done without IT. It’s therefore up to CISOs and CIOs to adopt less technical, and more business focused language. Below are some examples that should speak to CEOs, CMOs and other CTOs or COOs:
If your company is faced with a massive loss of data, this really complicates things for your business. The media coverage that accompanies this kind of incident is not something you look for to improve your image. And if the company manages the crisis poorly, the damage can be significant and the effects long lasting.
Data theft is not a victimless crime. If your client believes your organisation has some responsibility for the loss of personal information, there’s a good chance they’ll be turning to your competitors. Given the hard work it takes to acquire and keep a client, I will bet that your marketing manager and colleagues in sales won’t want to see them leave for greener pastures. Questions like “Are we sufficiently protecting our credit card data or user names of our clients? Do we collect (store) more information than we really need? Or even “Is our policy for data respect and confidentiality consistent with how our applications really work? In this Age of the customer (as some e-marketing specialists call it), keeping hold of market shares has become a business issue as important as acquiring them in the first place.
Companies invest thousands – even millions – of francs to protect themselves from outside attacks, but rely on hope and faith when it comes to dealing with internal threats! The proof of this lies in the fact that, often, the only security measure for protecting data from internal fraud is a charter or regulation on the use of IT tools. Not everyone is a saint! There is demand for plans, designs, or any other intellectual property and some employees won’t hesitate to take advantage of this.
Wanting to protect everything has become unrealistic. Strengthening security in a uniform way increases the risk of paralysing the company, increasing costs, and strongly demotivating staff.
Therefore, it is necessary to adopt a targeted strategy for reducing risks, limiting the highly secure area to what is absolutely necessary. However, to do this, you need to be aware of what the information assets of the company really are.