Effective risk management means securing corporate data
With all the hype in the market regarding security, it seems every company in the world has focused its efforts on protecting its IT systems from criminal hackers and malicious software. While external protection is indeed a necessary component of every security policy, too many companies forget to tackle internal risks and threats.
"Recent surveys have shown that malware (malicious software) attacks have increased by 650% over the last three years," says Amir Lubashevsky, CEO of Magix Integration.
"More importantly, 70% of these attacks have been perpetrated by the victims` own employees. An effective security and governance risk policy must, above all else, ensure the safety of corporate databases and information. The fact is that information is the lifeblood of a company and failing to protect it can result in serious consequences. For example, what would happen if a company`s financial information was compromised? Legally the company might be liable for damages and customers may turn to another supplier if they do not feel secure in their business relationship.
"Furthermore, what happens if someone supplies your marketing, manufacturing formulas or branding information to a competitor?" Lubashevsky asks. "It is mostly possible to recover stolen goods, but when intellectual property walks out the door with the help of disloyal staff and is used or usurped by the competition it may not be possible to recover from the loss."
Companies with large customer databases rich with information are most at risk from internal theft. Theft by external hackers is certainly a threat, but the majority of the mischief is caused by people trusted with access to mission-critical data. In particular, developers, service managers and database administrators are normally given clearance to the most sensitive data and are therefore most likely to be part of information crime.
"Most companies think their data is secure because employees are assigned limited access rights, but we all know how easy it is to obtain someone else`s password," Lubashevsky explains. "In addition, the level of personnel involved in theft means they automatically have access to critical data and, on a bad day, or if they are forced to leave, making the data available for a sum of money is a simple and profitable option and easy to accomplish."
There are numerous methods and strategies that can be employed by companies to protect their information. These range from real-time monitoring of the relevant databases as well as users` habits. Should any unexpected data access or transfer take place, an administrator should be warned immediately.
In addition, vandalism is also a potential threat. Professionals should be hired to assist the company in running regular vulnerability auditing and database risk assessments to help find and eliminate the weak points in systems and databases.
Implementing a disaster recovery plan is also advisable, but it must be part of a comprehensive security approach. A technically competent employee could always ensure that both the original and backups are both corrupted. That means if something goes wrong, there may be no way to recover.
"Securing corporate data is no longer a job restricted to IT departments," adds Lubashevsky. "With new compliance and corporate governance regulations, executives have to take a more active role in their security policies to ensure they meet their organisation`s risk management and governance requirements. Of course, money will have to be spent on implementing this security, but this will only be a fraction of the costs involved if data is stolen or corrupted."