Inovus Intelligence - Insights on IT Alignment                               October 2015


Are You Sailing on the RMS Titanic? Colliding With the Icy Realities of Data Breaches

Over the past couple of years, high-profile data security breaches at companies including Target and Sony have underscored the importance of implementing effective strategies for information security and the prevention of data loss. Large or small, any organization dealing with sensitive data must consider a strategy that extends from the server all the way to the desktop, and well beyond. While a good tactical plan inclusive of firewalls and other technologies can help to address certain kinds of risk, every organization must consider losses from a broader perspective and build its strategy accordingly. Organizations first must understand their own risk profile and then dedicate the appropriate level of resources to implementing the right strategy and tactical solutions.

Each organization’s risk profile accounts for vulnerabilities and priorities, as well as constraining factors such as dollars, human capital, and timing. While an organization with a low risk profile may be willing to commit itself to more costly loss recovery efforts in the unlikely event of a breach, the organization with a high risk profile might spend all available resources on preventing a breach in order to minimize the costs of loss recovery. Organizations in the middle may choose to provide a sophisticated level of access while also accounting for loss recovery costs following a breach.

Although every organization faces the same fundamental questions regarding information security, there is no one-size-fits-all strategy. In many cases, the primary challenge in developing this strategy lies in understanding what level of security is appropriate for the business. What do state or federal governing statutes require or what case law indicates is a proper standard of precaution, and what steps represent a reasonable effort or sufficient precautions? What is the prevailing industry standard for protecting the type of data the organization maintains? In everyday operations, how should convenient access be constrained by security measures such as limiting the use of mobile devices and email encryption? And lastly, if a breach were to occur, what should the organization’s response priorities be?

To be appropriate and effective, the strategy must address numerous considerations, beginning with the probability of a data breach, the level of security required, and the cost of implementing that level of security. It also must account for the type of information being protected, whether it is customers’ financial or medical information, or the organization’s own intellectual property and trade secrets. Finally, it must go beyond protection and prevention to ensure that the organization maintains its ability to detect a breach, gain insight into how that breach occurred, and undertake responsive loss mitigation and recovery efforts. These efforts often are extensive, ranging from actual remediation of the issue to coordinating external communications with partners and customers to dealing with severe financial repercussions.

Information security strategy and tactics are only as good as they can be against known or at least contemplated risks. That said, an organization that routinely takes the time to address critical security questions positions itself to recognize the best balance of data security, information access, and potential costs of loss mitigation and recovery. By understanding this balance, the organization can properly allocate resources across the full risk profile and do its best to handle information security and breaches of it in a way that helps to minimize the impact not only on the bottom line, but also on the customer experience and the organization’s credibility going forward.

Inovus News

  • Inovus Technology Solutions has been engaged by Bucknell University to provide IT Strategy advice on their Enterprise Architecture and future integration plans with Workday HR and Workday Financials.