In today’s globalized and increasingly digitized world, protecting confidential and sensitive corporate and customer data security is paramount, not only for a business’s success but also for its reputation and future survival.
Data security is a constant challenge for most organizations. The threat of a cyberattack is very real, with the average cost of a data breach estimated at USD 3.86 million, not including additional damage to brand reputation and customer trust, or lost business. Even more concerning is that it takes organizations an average of 280 days to identify and contain such breaches, according to Ponemon Institute’s Cost of a Data Breach Report 2020.
The longer a breach goes undetected, the more damaging – and embarrassing – it is for the organization in question, with companies that do not have IT departments or security protocols in place the most vulnerable to such delays.
Getting Started
Companies need to include external vendors in their cybersecurity policies, if they are to effectively protect their data throughout the complete value chain.
Follow our seven-point plan for success:
- Step 1 – Assess the threat: Begin with an audit of how you manage data currently, and which suppliers and technologies/tools they use. Watch out for the transfer of data through highly insecure methods (such as email or insecure FTP sites), storage or processing of data using unauthorized devices (PCs, tablets, personal servers, insecure LSP infrastructure) or tools (online chat, file transfer systems), as well as whether they retain your documents and data once a project is complete.
- Step 2 – Look for vulnerabilities: Any vendor that is privy to massive amounts of confidential and sensitive corporate/customer data makes them a prime target for hackers. By tracking how your external partners and suppliers manage, transfer and control access to your content, across all steps in the process, you will be able to identify your exposure to data breach or theft, and assess the security protocols that they have (or do not have) in place to protect you.
- Step 3 – Vet your vendors: Check that they have the right security protocols and credentials in place and how recently they have been audited; for example, internal information security policies (ISPs), information security risk assessments, SOC 2 Type II auditing, ISO 27001 compliance, and HITRUST certification to ensure appropriate information and document safeguarding, ISO 9001 for quality management, GDPR and CPRA compliance for personal data protection, and PCI DSS for secure payments. Ask how they ensure the availability of your content, including disruption and disaster recovery measures, in the case of a major disruption.
- Step 4 – Centralize and track: Confining content to a single environment (accessible online via a protected user interface) is more efficient, as well as more secure. By setting up a single secure platform for internal and external use, you can minimize threats by logging user and workstation access to your data.
- Step 5 – Control access: Control who has access to your platform using admin rights, granular security controls, and secure password control. For instance, IP restrictions to authenticate users, hierarchical security settings (password length, password history, password complexity, number of allowed failed login attempts) that match the complexity of your internal security policies; and role-based access controls (RBAC) to assign access to specific teams, departments, and organizations.
- Step 6 – Classify content by risk: Highly sensitive content should benefit from added levels of security; for example, restricting where people work or blocking copying and pasting if there is a high risk of theft or industrial espionage. Restricted workstations can limit everything from the ability to copy to internet access, and the use of software applications. This helps to ensure there are minimal opportunities for data loss or theft while work is being performed.
- Step 7 – Apply global rules locally: Embedding corporate governance measures locally will ensure that the platform and its rules are not bypassed, but workflows should also be audited regularly. Not only is it easy to fall back on old patterns, especially when deadlines are tight, but the risk and threat picture is evolving all the time.
Sobering Statistics
According to Ponemon Institute’s Cost of a Data Breach Report 2020, which studied more than 500 data breaches across 17 countries:
- Customers’ personally identifiable information (PII) was the most frequently compromised type of record and the costliest.
- Having a remote workforce was found to increase the average total cost of a data breach by nearly USD 137,000.
- Overall, malicious attacks registered as the most frequent root cause (52% of breaches in the study), versus human error (23%) or system glitches (25%).
- Stolen or compromised credentials were the most expensive cause of malicious data breaches, while misconfigured cloud servers tied for the most frequent initial threat vector in breaches caused by malicious attacks, at 19%.
- Lost business costs accounted for nearly 40% of the average total cost of a data breach, measuring USD 1.52 million in the 2020 study.
- On average, companies in the 2020 study required 207 days to identify and 73 days to contain a breach in 2019, combining for an average ‘lifecycle’ of 280 days.
- The U.S. continued to experience the highest data breach costs in the world, at USD 8.64 million on average, followed by the Middle East at USD 6.52 million.
Choosing a provider that not only understands the importance of cybersecurity but actively invests in it, can represent the difference between success and failure. If your vendor cannot match your internal standards for security, privacy, confidentiality, compliance availability, and integrity, then now is the time to switch.