Itís not just consumers that are losing. According to a survey conducted by the Chamber of Commerce, PricewaterhouseCoopers, and ASIS International, businesses lost between $53 billion and $59 billion between July 1, 2000 and June 30, 2001 due to the theft of their intellectual property.
Set the regulatory demands on information security aside Ė Basel II, European Union Data Protection Directives, GLBA, HIPPA, SB 1386, and Sarbanes-Oxley Ė as customers become increasingly security and privacy savvy, sound security policies and trust will increasingly become a competitive differentiator. Gartner predicts that if Internet-based security threats arenít mitigated, the robust 20 percent annual E-commerce growth rates will be slashed to 10 percent or less within the next two years.
While the myriad of regulations do not dictate what security technologies companies need to set in place, they all demand that business and customer data are adequately guarded.
While it is not possible to eliminate risk, clearly more needs to be done by organizations to reach a higher level of security to protect their intellectual property and their customersí personally identifiable information. The level of diligence organizations place on securing their business-technology systems simply isnít high enough Ė and is one of the primary reasons identity theft cases are soaring. Organizations need to re-evaluate their approach to information security, consider new tactics for protecting digital assets and, most importantly, the trust of their suppliers, partners, shareholders, and customers.
Organizations Need to Get Back to Basics
To turn the tide on the skyrocketing lack of trust customers have toward the way enterprises protect their personal information, organizations need to instill security awareness throughout their enterprises. Security culture within an organization needs to flow from the top down: CEOs, boards of directors, and senior management need to make it clear that information security needs to be an integral part of their daily operations, and that IT security initiatives must be closely aligned with business objectives. Without senior management providing strong security governance, insiders abusing IT resources, system breaches, and careless handling of customer information will continue to proliferate at an alarming rate. Security policy canít be static; information security policies and procedures need to be dynamic, living documents that are continuously refreshed as both technology, computing infrastructures, and business environments evolve.
In a successful information security program, all three pillars Ė people, process, and technology must be strong. Senior management lip-service to the importance of security, and the protection of the customer information they are entrusted to secure, no longer suffice. The continuous spate of data breaches clearly shows that simply investing in conventional defenses such as anti-virus programs, content filtering, firewalls, identity-management, and intrusion detection and prevention systems arenít enough. Not enough attention is being placed on the other two pillars of security: people (security training and awareness), and process and procedure (security policy), and no amount of investment in security technologies will make up the difference in the equation.