Data Breach Is No Longer Just an IT Issue, but a Business Issue

Traditionally, data security issues and threats have been relegated to the IT department. But as we’ve seen from some of the biggest data breaches over the last couple of years, Target, Home Depot, Sony, to name a few, when a data breach occurs, the problem becomes much bigger than IT or information security – it becomes a problem for the entire organization up to the highest levels. A data breach impacts every business unit in a company. Preventing advanced data attacks is no longer just a technology issue, it’s a business issue that requires involvement from the top management of an organization.

We find that many companies don’t understand the risks of insufficient data destruction programs and the extent of their liability, which we have outlined below:

• Companies have a fiduciary responsibility to protect sensitive data including client personal information, intellectual property, and employee confidential information.
• Sending sensitive data-bearing equipment off site limits what can be protected and controlled.
• Most executives are uninformed about security blind spots in off-network data bearing devices that contain sensitive information and are generally unaware of what goes on at vendor sites.
• Liability is not severed after equipment leaves a company’s possession and executives may be held personally liable.
• Even though network intrusion gets far more attention and security dollars, 70% of data breaches come from off-network devices.

So, what can companies and executives do to help protect themselves?

Focus on Preventing a Data Breach – In the wake of numerous high-profile data breaches, a lot of the conversation seems to be focused on dealing with the aftermath of a breach and ensuring that companies have a data breach response plan. While this is of course necessary these days, companies also need to develop a comprehensive security strategy that does not just focus on electronic attempts to breach their firewalls. A more comprehensive approach includes recognition of the threat that comes from off-network devices and other areas of data security weakness. This is especially true given the fact that most companies are not able to determine the root cause of breaches. The growing prevalence of embedded data contained in off-network and decommissioned devices, and the people responsible for the decommissioning process and their vendors, are largely overlooking the threat that it represents.

Develop Cross-Functional Data Security Team and Plan – Preventing a data breach is no longer just an IT problem, it needs to be a company-wide effort. A comprehensive data security plan needs to be informed by various constituencies from across the company, including IT, legal counsel, C-level executives, any third-party vendors, especially IT asset management and disposition providers, and maybe others. A comprehensive plan will also include educating employees at every level about proper data security and appropriate hardware usage practices.

Strengthen Your Weakest Points – You’re data security is dependent on the weakest point in the company. Companies need to think beyond IT and think holistically about weak, potential entry points for hackers throughout an entire company. Some commonly overlooked areas include decommissioned, off-network computers and devices. Your old phone system may have user information on it, a copier may have copies of your most sensitive data stored in its hard drive, and networking devices may contain IP addresses and passwords that could allow an outsider to penetrate your network. Third-party vendors, who have access to your network, could also pose a threat. In the Target breach, thieves were able to gain access using the credentials of an HVAC vendor to get into Target’s network, which gave them to gain access to the entire organization.

The aftermath of a data breach is felt at all levels of an organization – from the top management down to the customers who may be affected by the breach. Therefore, it stands to reason that data breach prevention should be elevated to a strategic business issue, not just an IT issue. Companies and their executives need to take a complete risk management approach to help prevent a potential data breach, in addition to developing breach response plan in order to protect market value, customers’ trust, and executives’ careers, and prevent the negative financial and legal ramifications.

To learn more about the threat that embedded data can pose to your company, please download our white paper: Embedded Data: Your “Hidden Secret” to Stopping a Major Data Breach — A call for awareness to the security threat of embedded data. It aims to educate customers and the public at large about the potential exposure and hidden dangers of embedded media if it falls into the wrong hands.