The increasing sophistication of data thieves, proliferating number of potential breach points, and growing value of stolen data combined to drive the number and cost of data breaches to new highs last year. And the risks to enterprises continue to expand.
But despite the growing threats, many enterprises remain woefully unprepared—even after investing in IT security solutions. According to recent research from Lieberman Software reported in Infosecurity magazine, "69 percent of (IT professionals) do not feel they are using their IT security products to their full potential. As a result, a staggering 71 percent...believe this is putting their company, and possibly customers, at risk."
Given the increased demands on IT teams today, it's not surprising that complex, cumbersome security technology is often not fully utilized, or that, as the Infosecurity article also notes, 61% of tech professionals say their organizations have "deployed a security product purely to meet regulatory compliance regulations."
Yet relatively simple and inexpensive process automation can, in many cases, significantly reduce an organization's risk of a data breach due to common sources and causes.
According to research from Experian, "For businesses, the risk of experiencing a data breach is higher than ever with almost half of organizations suffering at least one security incident in the last 12 months." Such breaches have several indirect negative impacts beyond the direct financial costs.
Corporate reputation: per Experian, "Board members and the C-suite can no longer ignore the drastic impact a data breach has on company reputation." Particularly in the case of high-profile breaches, enterprises risk negative press coverage, the loss of trust and reputation among consumers, and employee morale and retention problems.
Leadership issues: again per the Experian study, "business leaders are being held directly accountable for data breaches. Executives at the highest levels are under scrutiny about security posture and their response to a breach from stakeholders, regulators and consumers. Recent mega breaches have showcased the significant pressure for management teams to brush up on their knowledge on data breach preparedness or face the threat of being ousted from the company" (as happened in the case of Target, for example).
Regulatory and legal concerns: "scrutiny of corporate leadership’s management of security may continue to increase in the form of legal and regulatory action after a major incident," according to Experian.
To be fair, compliance is challenging for large U.S. enterprises, which currently "face a patchwork of data breach laws across 47 states, along with the District of Columbia and Puerto Rico." There is no national legislation or set of standards in place regarding data breaches, though this continues to be discussed.
Financial costs: the average cost of a data breach increased last year to $3.5 million—though the price tag for high-profile breaches like those at Home Depot, Target and Sony was many times that.
But direct dollar costs by no means capture the full impact of data breaches. As noted in Fortune magazine, although financial losses (after insurance payouts and tax breaks) rarely exceed 1% of annual revenue—even for a major breach—"the hidden costs of a breach (include) rising insurance premiums, damage to third parties, sinking customer goodwill and trust. Most importantly...failing to invest in security is strategically myopic; without ensured stability, a business may as well be committing corporate suicide."
While the adoption of "Chip and PIN" technology for credit cards should reduce opportunities for data theft at the retail level, many other doors are opening in enterprises for data thieves.
Among potential breach points are mobile devices (particularly in BYOD environments), wearables, wifi-enabled vehicles, and the whole range of devices, appliances, equipment and sensors coming online as the Internet of Things (IoT) expands. Even the voice-enabled smart TV in your conference room could be a target for hackers.
While combating hackers and information thieves requires a multifaceted approach, automation can help in several high-risk areas. Here are five ways to use data integration and workflow automation technology to protect corporate data.
BYOD: Automate key processes around asset deployment (including BYOD processes) to enable a more secure enterprise by eliminating exceptions to the process. For example, use an enterprise request management (ERM) portal to simplify the BYOD registration process by enabling employees to easily register their devices and appropriately populate databases and applications with that registration information.
Software updates and patches: Security software can't protect data or devices if employees don't use it, or don't keep it updated. Even with the best of intentions, workers may overlook or forget update reminders. Process automation software can be used to trigger remote installation of required software to desktops, laptops and mobile devices using third-party tools.
Password resets: Per Experian, "As more data is stored in the cloud, hackers are eager to capitalize on the value of consumer online credentials. There is an expected increase in cyber attacks to access consumer passwords and other data stored in the cloud."
Employees should be advised to avoid storing passwords in the cloud whenever possible. But it will still happen. So the next best defense is to use automation to enforce both creation of strong passwords and periodic password changes. Sure, this can be annoying—but less annoying than a major data breach.
Security training: In yet another key finding from Experian, "Currently only 54 percent of organizations report they conduct security awareness training for employees and other stakeholders who have access to sensitive or confidential personal information. Making a significant dent in the number of breaches in 2015 will require companies to pay more attention to raising the security intelligence of employees."
Training offerings can be conveniently presented through the ERM portal, with automation used to track and enforce certain types or levels of training based on employee role, location or other factors. For example, an employee's BYOD device may not be approved for corporate system access until a specific course has been completed.
Onboarding and offboarding: The ERM approach is often used to coordinate the new employee onboarding process, automating steps wherever possible to assure that new employees are fully provisioned and ready to hit the ground running on day one.
Equally important though, particularly from a data security standpoint, is that a similar strategy can be deployed to automate the offboarding process when an employee leaves the company for any reason: terminating all system access rights, deactivating badges, forwarding email, etc..
That's the advice of Joseph Demarest, assistant director in the FBI's Cyber Division. In addition to quoting him, Experian notes in its research that "73 percent (of U.S. companies have) acknowledged the likelihood of a breach by developing a data breach response plan."
In the aftermath of a breach, best practices are to notify consumers of the data theft, apologize, explain what happened as clearly as possible, and advise consumers on what they can do to protect themselves from fraud along with providing credit reports and financial monitoring.
It's also crucial for enterprises to have tools and processes in place to respond immediately when a bread is detected, locking down systems, restricting access and taking other steps to minimize the damage.
Enterprise-grade online collaboration tools enable organizations to rapidly assemble a team—including remote employees, consultants or vendors—to diagnose the problem, share documents and other information as necessary, and assign and track the progress of action items. Such tools also capture the resolution process for later diagnosis, training, and compliance purposes.
As hackers become more sophisticated, enterprises will have to invest more in training and technology to counter these threats to their sensitive data. But automation tools can be used today to address many of the common risk points for data breaches.