The economic downturn means businesses are most
vulnerable to serious data security breaches at a time they can
afford it least, according to a report by security firmMcAfee.
The study of the security of information economies warns that
the global recession is putting information at greater risk than
ever before, demanding individual and collective action.
Organisations face greater external risksas an increasing number
move their data storage and processing offshore. At the same time,
they face a growing internal risk as large numbers of employees are
laid off.
A survey of 800 IT decision makers worldwide revealed that
organisations lost data andintellectual property (IP) worth £3.2bn
in 2008. The cost of repairing the damage was an estimated
£421m.
Based on these estimates, Mcafee projects that data breaches
cost the world's companies more than £700bn last year.
Sensitive information
The average company has £8m worth of sensitive information
offshore, including customer and credit card data, IP, financial
records and legal documents.
Most of the world's IP is still housed in North America and
Western Europe, but 26% of organisations said they were storing
information offshore in regions where costs were lower.
Some 36% of those surveyed are storing or processing data in
China, 22% in south-central Asia, and 19% in South or Central
America.
Developing countries spend more on protecting IP, but legal
protection for data and law enforcement is not the same in all
regions.
Pakistan, China and Russia were the worst-rated countries for
protecting digital assets and had the worst reputations for
investigating data breaches.
This means that any company offshoring operations must
understand the risks and put the necessary controls in place to
manage risk and prevent data loss, says Greg Day, security analyst
at McAfee.
When choosing an offshoring destination, companies should look
at the relative level of maturity in IT security,the level of data
protection legislation and how well that is enforced, he says.
Organisations should also ensure that outsourcing partners meet
basic standards on data protection by thoroughly checking what
measures are in place, says Stuart Okin, managing director,
Comsec Consulting UK.
"Outsourcers should be asked to demonstrate how employees would
deal with threats to data security and that they have been trained
not to divulge sensitive client information," he says.
It is important not to outsource everything, but retain control
through someone in the organisation who has the responsibility of
monitoring the outsourcer and the ability to intervene if
necessary.
Discretionary spend
"This person should have the ability to effect discretionary
spend to respond quickly to the changing security threat landscape
when needed," says Okin.
Economic realities could tempt an increasing number of
financially strapped and laid-off employees to use their corporate
data access to steal sensitive information, the report says.
Employees are the biggest data leakage risk for 68% of survey
respondents.
Some 42% of survey respondents said laid-off employees were the
single biggest threat to sensitive data, while 36% said financially
strapped employees are a concern.
This means that the business, IT and HR have to get closer
together and make sure there is clear policy around what should be
done when redundancies are made, says Day.
"Organisations need to make sure that the access credentials of
employees who are laid off are removed from corporate systems
promptly," he says.
They also need to make use of all the available technical
controls to monitor data transfers by current employees, says Day,
to enforce data protection polices and prevent data leakage.
Phishing attacks
The report says firms need to educate employees against the
dangers of phishing attacks and other risks.
Large scale redundancies are also likely to lead to an increase
in unintentional data loss, says Okin, because many organisations
will be unable to cope with unusually high number of people
leaving.
"Organisations should be reviewing data leakage prevention
processes now to ensure they are robust enough to deal with sudden
increases in scale," he says.