Tuesday, November 25, 2008

Protecting Your Information

According to an article by the Enterprise Strategy Group (“Transitioning to an Information Infrastructure,” June 2007), “While it is not found on a balance sheet, information is quickly becoming a leverageable corporate asset that has both value and risk implications.”

One of those risks is that organizations (both public and private) are insufficiently protecting their sensitive or confidential data.


I recently came across a site, DataLossDB, which documents known and reported data loss incidents world-wide. Let’s just say, I was astounded at the enormity of the problem.

According to DataLossDB, the largest reported data loss incidents were:

Who is impacted by these security breaches? Everyone. Businesses. Customers. Employees. Suppliers.

Like many, my personal information has been compromised. Back, in 2006, Fidelity Investments lost a laptop containing the personal information of 196,000 retirees and former employees (me being one of them).

According to Computerworld, the theft may have exposed such information as names, social security numbers and compensation details. According to a survey conducted by the Ponemon Institute, of 700 US-based C-level executives, managers and IT security officers in mid-size to large-size businesses, organizations that experienced a data breach incurred the following costs:


  • 74% report loss of customers

  • 59% faced potential litigation

  • 33% faced potential fines

  • 32% experienced a decline in share value


The Ponemon Institute conducted another study on the cost of a security breach and found that companies spend almost $200 per name breached. They also found that the money is spent on, among other things, lawyers, private investigators, forensic experts, credit bureaus and insurance companies.

I have no idea if the incident back in 2006 cost Fidelity $39M (I called to check, but unfortunately Fidelity is a private company). Though, I do remember getting a free year membership to Equifax.

My personal ordeal, of course, begs the larger question. With the cost of a breach so high – why are there so many breaches? I am guessing because it is difficult for those responsible (yes, us managers) to effectively build the business case for providing adequate controls for our information.

A recent article on CIO.com (”Myth or Truism? Security Experts Judge,” November 10, 2008) asked several experts whether it is possible to measure the Return on Investment (ROI) for security.

It’s an interesting question. How do you effectively measure the return of:


  • Ensuring that information is only accessible to the right people?

  • Ensuring that information is only used in a legitimate business context?

  • Ensuring that information does not inadvertently “leak out” of the corporation?


One of the experts in the CIO article is quoted as saying: “Prevention of a possible loss isn’t a gain otherwise I’d be rich from not betting on the lottery!” Funny.

As I think about it, protecting my information is simply a cost of doing business. I would not think twice about the need to install locks on my doors or deploy sophisticated network security. Neither should I think twice about the need to protect my information. To ensure that my customers, my suppliers, my employees and my company’s business interests are properly protected.

How do I protect my information? Where do I start? Companies that are serious about protecting their information must:


  • Make Information Management a business strategy. It cannot be treated as another IT department issue.

  • Identify and classify all Sensitive Data. You need to know what you have and where you have it in order to protect it.

  • Develop policies that ensure that the right people have access to the information and that the information is used in the proper business context

  • Incorporate effective technology to automate these processes to keep your information safe.



Post a Comment

0 comments: