Ponemon Institute recently conducted a survey sponsored by Centrify and designed to more deeply understand the current state of cybersecurity. The Impact of Data Breaches on Reputation & Share Value: A Study of U.S. Marketers, IT Practitioners and Consumers examines differing perspectives across a number of security topics. I’d like to focus on IT professionals at this time, as I believe the results are enlightening, to say the least.
43% of IT practitioners said their organization had a data breach involving sensitive customer or business information in the past two years. This tells us that, on average, more than one in five organizations are hit each year with a serious breach in which a significant amount of confidential data is lost. We’re not just talking about a break-in – we’re talking about the actual loss of valuable data.
Consumers could look at this in a different way: If you’re doing regular business with 10 different companies, two of them will lose data to a cyberattack this year. While there are limits to what can be done to protect data that’s not under your direct control, there are a few steps that can help diminish the possibility of full blown identity theft.
First, be discerning. Don’t do business with a company you don’t trust to protect your data. Second, be vigilant. For example, many credit card companies send a message every time a transaction is posted against your account. Sign up for this service and monitor the communications carefully.
Only 48% of IT practitioners believe organizations are obligated to take reasonable steps to secure the personal information consumers share with them. The fact that more than half of all IT professionals do not feel obligated to protect private customer information wouldn’t be so alarming if their customers felt the same way. If consumers had no expectations that IT was making every effort to protect them, they would act accordingly. But that’s not the case. In fact, 80% of consumers believe organizations do have an obligation to secure their personal data.
If a business associate asks you to hold their wallet, and you agree to do so, have you not an obligation to take every reasonable step to ensure its safekeeping? Of course you do.
If the people within your organization don’t accept the responsibility that comes with collecting the personal data of your customers, close your business now. You will not survive. Not only does IT need to make data protection their top priority, everyone in the company – from the CEO to the cleaning crew -- needs to feel obligated and responsible.
Less than half of IT practitioners believe their organizations have a responsibility to control access to consumer information. Again, only 46% of IT people feel it’s their obligation to control access to customer information. Again, there's a disconnect: 71% of consumers surveyed believe it is the organization’s responsibility. In short, ditto to number two above. If your company is soliciting private information from customers and they’re providing it to you, it is only with a great degree of trust that you’ll do everything possible to limit access to it. And that is the responsibility of IT. Period.
61% of IT do not believe their companies have a high level of ability to prevent breaches. This lack of confidence is a dangerous sign of submitting to the status quo. If you’re an IT professional in the 61%, take responsibility to improve the situation -- step up to the plate. Your customers and company are counting on you.
- Understand the cause of breaches. According to the 2017 Verizon Data Breach Investigations Report, 81% of breaches are due to compromised credentials. You must effectively manage the identities of your employees, because it is through them that hackers can gain access to the databases that store your customer information. Next, limit the activities that can be performed inside your environment. Every employee should be given access only to the information they need to perform their jobs. That way, even if an identity is compromised, the damage will be minimized.
- Elevate the conversation to the C-Suite.Focus today is so skewed towards revenue growth and cost management that security often takes a back seat in the boardroom, and this might be a fatal error. Don’t be afraid to stand up and be heard. Worst case scenario, you’ll be able to say “I told you so,” and you’ll look like a genius.
- Ensure you have a strong security posture. At the very least, that means having an adequate budget for staffing and security technologies -- especially identity and access management. A comprehensive security program, training programs to reduce employee negligence, and regular assessments of security vulnerabilities are essential. Last, have an effective data breach response plan so that if things head south, you’re prepared.
Bill Mann is Chief Product Officer at Centrify.