According to Breach Level Index, 4,762,376,968 data records have been lost or stolen since 2013.
That’s 4 Trillion, with a “T.” You know the old saying: A trillion here, a trillion there, and pretty soon we’re talking about a lot of records. And data. And… liability.
In perusing the web and taking stock, as well as talking to my constituents in business and IT, several things become clear:
- Most employees steal proprietary data when quitting or getting fired from an organization.
- Nearly all employees are vulnerable to exploit kits.
- Four out of five breaches go undetected for a week or more. Some take up to a year.
- Just over a third of global organizations feel they are prepared for a sophisticated cyberattack.
- Generally, when an organization is targeted for attack, the attackers need only minutes to bring about a compromise.
- Most organizations lack the means to track and control their most sensitive data.
- Most organizations lack clear security guidelines, policies, and reinforcement through training.
What does the modern organization do? Recognize that everything begins and ends with human beings, whether you are a large global conglomerate, a medium business, a small business, a charitable non-profit, or a government agency... include sole-proprietorship here, naturally. Everyone in the modern organization needs to be a Security Officer these days. What does that mean? It means that it is time for each person to know that every action must be viewed through the prism of security, and activity must be conducted in accordance with defined, attendant, values and standards.
Consider just two incidents to show the vast range of targeting. The Office of Personnel Management (OPM) was attacked, with subsequent breach of records pertaining to 22 million current and former federal employees. (Full disclosure: I’m a former federal employee: I hope I’m not vulnerable here). This hack was undetected for nearly a year (343 days). The stolen records include workers who are classified employees, with highly sensitive jobs in law enforcement and intelligence.
To swing to a divergent example, Ashley Madison had 37 million customer records exposed, and the attackers announced it to members on-screen upon login. Leaked was personal information of customers who were seeking extra-marital affairs with other married persons. Everything you can imagine in between these two examples is ripe for exploitation.
It’s easy enough to gauge the general extent of the problem: Just Google “data breach,” “data theft,” etc. But, that’s only what is known: The vast number of data incidents are hushed. Today, the organization must value security: it must train to, and perform to, specific security standards in direct match to the organization’s business, environment, risk, and related needs – actually in excess of those - being that risk is escalating all the time.
Security must occupy a priority in new employee orientation, with updated refresher trainings, internal organizational newsletters, and addressal in various meetings and internal forums. Security consciousness and performance becomes a rated area for every supervisor’s evaluation of every employee during the appraisal process – from those in governance to each intern, and everyone in-between.
Be aware that data security is not the sole-province of IT. It is the province of the organization. Who owns the data? The organization does. IT most definitely can help to select, size, maintain and progress security systems – in the technical sense. IT can also train people for security awareness and best practices; IT can to modify and sustain the appropriate behaviors. But it really needs to be the organization and the business stakeholders that secures business, as they oversee all staff, users and IT alike. They do this by helping to measure and approve budgets, policies, and staff readiness. And, the organization must be intelligent enough and informed enough to oversee IT and the related security measures.
After all, keep in mind that most breaches are due to human error.
Any organization will get it soon enough: preparedness and prevention guards against damage to the organization’s number one asset: Its reputation.
As a lasting thought, remember this: In the realm of risk, unmanaged possibilities become probabilities. Start thinking about risk and liabilities, speak with your subordinates and supervisory chain, and get security on the agenda in a serious way before something dire happens in your organization. Research and educate yourself for all manner of data breaches and how they occurred – then survey your job, your activities, and your place of work for risk. Make suggestions and inspire or take appropriate action depending on your place in the organization.