Recession means businesses face greater security threat, says McAfee

The economic downturn means businesses are most vulnerable to serious data security breaches at a time they can afford it least, according to a report by security firm McAfee.

The economic downturn means businesses are most vulnerable to serious data security breaches at a time they can afford it least, according to a report by security firm McAfee.

The study of the security of information economies warns that the global recession is putting information at greater risk than ever before, demanding individual and collective action.

Organisations face greater external risksas an increasing number move their data storage and processing offshore. At the same time, they face a growing internal risk as large numbers of employees are laid off.

A survey of 800 IT decision makers worldwide revealed that organisations lost data andintellectual property (IP) worth £3.2bn in 2008. The cost of repairing the damage was an estimated £421m.

Based on these estimates, Mcafee projects that data breaches cost the world's companies more than £700bn last year.

Sensitive information

The average company has £8m worth of sensitive information offshore, including customer and credit card data, IP, financial records and legal documents.

Most of the world's IP is still housed in North America and Western Europe, but 26% of organisations said they were storing information offshore in regions where costs were lower.

Some 36% of those surveyed are storing or processing data in China, 22% in south-central Asia, and 19% in South or Central America.

Developing countries spend more on protecting IP, but legal protection for data and law enforcement is not the same in all regions.

Pakistan, China and Russia were the worst-rated countries for protecting digital assets and had the worst reputations for investigating data breaches.

This means that any company offshoring operations must understand the risks and put the necessary controls in place to manage risk and prevent data loss, says Greg Day, security analyst at McAfee.

When choosing an offshoring destination, companies should look at the relative level of maturity in IT security,the level of data protection legislation and how well that is enforced, he says.

Organisations should also ensure that outsourcing partners meet basic standards on data protection by thoroughly checking what measures are in place, says Stuart Okin, managing director, Comsec Consulting UK.

"Outsourcers should be asked to demonstrate how employees would deal with threats to data security and that they have been trained not to divulge sensitive client information," he says.

It is important not to outsource everything, but retain control through someone in the organisation who has the responsibility of monitoring the outsourcer and the ability to intervene if necessary.

Discretionary spend

"This person should have the ability to effect discretionary spend to respond quickly to the changing security threat landscape when needed," says Okin.

Economic realities could tempt an increasing number of financially strapped and laid-off employees to use their corporate data access to steal sensitive information, the report says. Employees are the biggest data leakage risk for 68% of survey respondents.

Some 42% of survey respondents said laid-off employees were the single biggest threat to sensitive data, while 36% said financially strapped employees are a concern.

This means that the business, IT and HR have to get closer together and make sure there is clear policy around what should be done when redundancies are made, says Day.

"Organisations need to make sure that the access credentials of employees who are laid off are removed from corporate systems promptly," he says.

They also need to make use of all the available technical controls to monitor data transfers by current employees, says Day, to enforce data protection polices and prevent data leakage.

Phishing attacks

The report says firms need to educate employees against the dangers of phishing attacks and other risks.

Large scale redundancies are also likely to lead to an increase in unintentional data loss, says Okin, because many organisations will be unable to cope with unusually high number of people leaving.

"Organisations should be reviewing data leakage prevention processes now to ensure they are robust enough to deal with sudden increases in scale," he says.

Read more on Privacy and data protection