Fortune.com reported that according to an International Data Corporation (IDC) forecast, by 2020, spending on security-related hardware, software, and services will eclipse $100 billion. However, consulting company NTT Com Security recently surveyed 1,000 executives and found only about half of them reported having a formal plan to respond to a data breach. Franklin wisely noted that “an ounce of prevention is worth a pound of cure,” but he also reminded us that “by failing to prepare, you are preparing to fail.”
According to the IDC report, the banking industry is forecast to make the largest investment in security for 2016. This makes some sense – that is where the money is. But there is significant value and opportunity in other data that companies should consider when evaluating their data security spend.
For some, value is in access to data, not necessarily the data itself. According to a recent post by my colleague, Damon Silver, ransomware attacks have increased four-fold from just a year ago – now estimated to be 4,000 attacks reported per day. These criminals often do not want the business’ data, but prefer to extract significant dollars from companies by preventing the businesses from accessing their own data.
Of course, there are steps companies can take to help prevent these incidents. But if reports about the number of these attacks are true, it seems few businesses have taken those steps and those that have are not having much success.
For those that have been attacked, there are a range of things they have to address, and quickly – what should be done first, how can the business continue to operate, what vendors and who in law enforcement can help, is there insurance coverage, do the criminals possess the company’s information and how much, what are the legal obligations, including notification.
Data is power and can be used to influence. It is neither identity theft nor the desire to extract a few Bitcoins that is behind the hacking and release of emails about Hillary Clinton. Obviously these bad actors want to harm the presidential candidate, and have been somewhat successful influencing the election. If there is one thing we can learn from the current presidential election, it is that data breach prevention and preparedness is not just about credit cards and Social Security numbers.
Though on a different scale, breaches exposing insensitive email or other communications such as high-level strategy discussions among C-suite members, or that suggest systemic discriminatory practices, or that outline detailed labor management strategies can have significant implications for a company’s market position and profitability. Consider that the Ashley Madison breach did not just result in exposing potential cheaters. The hackers also disclosed company emails (at least 12.7 gigabytes of emails) which included sensitive computer code and worker salary data, furthering the efforts to bring the company down.
Increased investment and vigilance in preventing attacks and releases of sensitive data are coming. But, a steady drumbeat of security professionals and others continue to warn businesses that cyber attacks are not a matter of if, but when. Recognizing that no system of security is perfect, and as spending on data security continues to rise, a significant item of that spending ought to include breach preparedness and response planning.