by Paul Rudo on 03/10/11 at 4:56 pm
Obtaining a budget for information security can often be difficult, since a good security plan will require constant long-term funding while providing almost no immediate benefits to the company. (When you buy a fire extinguisher, you hope you’ll never need to use it)
When there are so many other immediate fires to put out, it can sometimes be difficult to illustrate the urgency of establishing a strong data protection and information security plan. And part of this has to do with the fact that the threats associated with data breaches are often poorly understood.
Below, I’ve listed 6 possible business risks…. any one of which could potentially destroy a company overnight.
The growth of Web 2.0 has completely changed the way companies operate, and forced organizations to become much more open. There is no longer such a thing as “off the record”. Business executives need to be very careful about every word they speak or write… and who they share information with.
Wal-Mart learned this the hard way, when the New York Times obtained and published an internal memo discussing their predatory and unethical hiring and human resources practices. And of course, we’ve all heard about the great work WikiLeaks is currently doing, allegedly thanks to the help of Bradley Manning.
Fraud and Theft
Unauthorized access to corporate information can allow criminals to directly or indirectly steal from a company or its customers. In 2007, hackers managed to steal nearly 50 million credit cards from the databases of TJ Maxx.
If a hacker gains control of internal business systems, they can also use this information to get other employees to misappropriate funds to them. In fact, many cases of business fraud depend a criminal having insider information about the victim company.
Digital vandalism is another popular way for people to cause damage using unauthorized corporate information.
Well-known hacker group Anonymous has built a reputation by attacking and destroying web sites of organizations whose politics they disagree with.
Vandalism can also take place when an attacker or internal employee intentionally plants false information into business systems or takes actions to threaten the integrity of critical business data.
Vandalism is particularly common on public Internet forums, surveys and applications, where large groups will attempt to overwhelm a community with false information. It’s also common for hackers to gain access to private Twitter and FaceBook accounts in order to make false posts on the user’s behalf.
When systems become unavailable, the company grinds to a halt. Money stops coming in and employees stop being productive. Although a few hours of lost revenue might not seem like a big deal, it can become extremely expensive as long-time customers begin evaluating competitor services. Also a few hours of downtime can put you in violation of contracts which may be in place with suppliers, clients and partners.
There are a number of regulations – including HIPAA, SOX404, and others – which strictly regulate how you can use your electronic business documents and private customer information. If you fall out of compliance with these regulations due to a data breach, you could face heavy fines and a badly damaged reputation. And if the data breach caused harm to anyone outside of your organization, you’ll also need to compensate the victims.
Destruction of Intellectual Property
There is more than one way to destroy data. Sure, you could delete a file or smash a hard drive. But this simply puts the information at risk of integrity problems, or makes it temporarily unavailable until the backups can be restored.
But that’s not what we’re talking about here.
There are certain types of information which are only valuable because of their secrecy. If a buyer knows the salesperson’s minimum selling price, then it could compromise the negotiation. Likewise, the value of a new invention will be destroyed if it’s leaked before the inventor can patent it.
If you’d like to create a solid argument that will convince other departmental heads to support you in your quest to launch a new information security initiative, you can use these main business risks to illustrate what can go wrong if they continue to remain unprotected.