June 04, 2014

What Every Business Needs to Know about Information Security

"Security is not a product, but a process." That should be the mantra of every security engineer today, according to Bruce Schneier, a cryptographer, computer security and privacy specialist, and writer.

It’s more than designing strong cryptography into a system,” he said in an online post. “It's designing the entire system such that all security measures work together.”  

With data breach incidents reaching new heights every year, this ‘process’ of information security needs to be an integral part of running a business. Of course, as a key component of privacy legislation and compliance standards, protecting private information is also the law.

So what should it look like in the workplace?

It should be a combination of security products and tools, technologies, policies and procedures that work together to safeguard the availability, integrity and privacy of all personally identifiable information.   

While there are many different kinds of data breach incidents, the ones that get the most attention involve cyber espionage. A recent example is the sizable Target breach where approximately 40 million holiday shoppers had their credit and debit card account information stolen by computer hackers.

But mishandled paper documents still cause a lot of data breaches too. For example, in a recent report on privacy breaches, Stephen Warren of Veterans Affairs said that between 96 and 98% of data breach incidents at the Veterans Affairs Department involve paper documents. "People are not thinking about the fact that that piece of paper they're carrying around making benefits determinations has sensitive information, and they need to protect it."  

Interestingly, over half of U.S. businesses believe a security breach would not seriously impact their business. But it would. Research has shown it not only damages reputation and client relationships but it costs about $145 per lost or stolen record, according to the Ponemon 2014 Cost of a Data Breach.

The Shred-it State of the Industry Report showed that the average organization loses five percent of its revenue to fraud every year.

While all workplaces need information security policies and procedures, here are some of the hot spots to keep in mind:  

  • Breadth of Protection: The information security net needs to be wide and all encompassing, protecting personally identifiable information in electronic form (on desktops, laptops, mobile phones, etc.) and on paper (inside and outside of the office).
     
  • Employee Training: While regular staff training is key, it is lacking. More than one-third of small businesses never train staff on information security, and only 16 percent of large businesses train employees on data security protocol twice a year.
     
  • Insiders: It’s not just outside cyber thieves who are after information. In 61 percent of reported white-collar crime, the perpetrator is an employee of the organization. 
     
  • Hard Drive Disposal: As part of information management, the proper disposal of aging and obsolete computer hardware is as important as paper documents which includes securely destroying the hard drive.
     
  • Convenience: The easier you make it for employees to protect information, the better. For example, a Shred-all Policy means all information is destroyed when it is no longer needed. This simplifies the document disposal process and reduces the risk of employee error – in deciding what is or isn’t confidential.  
     
  • Partners: It’s important to partner with security driven companies too. For example, a reliable shredding company helps with compliance and provides a secure chain of custody for all shredding services.

Learn more about how a company can improve its information security by protecting its most important asset, its data.