What to do when trust is lost?

Writer Pekka Puska, Sales Leader, Security Services IBM

Trust, promise and integrity are keywords when it comes to information security, but they are also extremely important themes for us Finns and a part of our DNA. Questioning these fundamental values, is already serious accusation, but losing them has an enormous impact. The media devotes now days frontpage headlines to data breaches which are greatest in terms of their magnitude – be that the value or volume of the lost data.

What’s clear is that a digitalizing world comes with productivity benefits and efficiency. Yet as digitalization progresses at full speed, many other parts of organizations are having difficulties figuring out how to keep up with the progress. Information security often represents an aspect of this. While everyone agrees that information security is important, it is still viewed as a mere cost item and a hindrance to development. Things do not need to be this way, of course. Rather, development could progress hand in hand with different operations, and information security could provide a competitive edge and enable new business models, instead of being a hindrance. Unfortunately, this is not the case, and investments are not always perfectly balanced.

Information security: a cost or a hindrance?

When the planning, implementation or management models of information security lag, a company’s data becomes an interesting target for misuse. The Cost of a Data Breach study carried out by the Ponemon Institute found that the cost of becoming the target of a data breach has increased by 6.4 percent from last year. At the same time, incidents in the “mega breach” class have become more common. Given that the problem is hardly going away, wouldn’t it be high time to incorporate information security into development discussions as an enabling and support function, rather than seeing it as a mere hindrance and cost item?

The clear exception in this respect is health care, in which the cost of a lost record is notably high – almost three times the average. This type of data does carry the highest risk for misuse.

People often think that the cost of becoming the target of a data breach arises during the breach. While this does, of course, have an impact, most of the cost is attributable to recovering from the attack and the damage on reputation. Restoring customers’ trust in a company through which their data has been leaked or misused may turn out to be a long and arduous, if not impossible, journey. A company’s maturity is indeed often measured based on its response and recovery capacity. When costs also largely consist of restoration after the attack, the investment in this is directly visible as a reduction of costs when the attack occurs.

What to protect and how?

It’s important to understand what constitutes an information security risk for a company. What should we really protect and how? What constitutes the biggest risk for the continuation of a company’s activities? In addition, it is important to understand a company’s vulnerabilities. These also form a good basis upon which to build an information security fit for a particular company, rather than information security in general. The IBM portfolio contains an extensive range of services for this purpose, aiming to help a company understand the aforementioned and create the right kind of strategy for reducing risks and costs. When correctly allocated, the same investment achieves a lot more effective information security than a plain investment in information security.

For further information on the above-mentioned study, go to Cost of a Data Breach Study: Global Overview.

For the latest blogs, go to Security Intelligence.