Security is never a sexy topic. It costs money without directly adding value to your business and processes. In the best case, it’s unobtrusive, not requiring huge efforts to run – like that dental insurance you hope you’ll never need.
Alas, security threats are a topic with the potential to cause more harm than a passing toothache. This is particularly true for the information in your rganization; a critical and valuable asset of your organization – which makes them a potential target for people with criminal intent.
As I have described in a parallel blog, the threat is real and tangible:
- data security issues are (not very surprisingly) quite often perpetrated by insiders, not just hackers.
- The probability to fall victim to an attack is not very high these days; but it looks prone to rise over time.
- damage associated with data theft is hard to nail down; but it can quickly reach painful levels or even threaten an organization’s existence.
In this light, it is worthwhile to think about ways to mitigate the risk posed by insiders bent on stealing data. As Wirtschaftswoche (Business Weekly, a German print magazine) comment, the damage potential can be lowered considerably through “modest” investment in implementing preventive measures.
http://www.wiwo.de/unternehmen/industrie/wirtschaftskriminalitaet-grosse-angst-vor-datenklau/11069402.html)
I tend to agree to the statement because of the following considerations:
- Invest in “preventive” measures. The best data security leak is the one that doesn’t happen. All others are bad – to different degrees. As a second best, you might consider measures that help manage and mitigate the damage: If you can at least detect and plug a leak early, the fallout might be easier to manage. Worst case is that someone else detects the issue and you can’t identify the source, or even tell what information you lost.
- This point is more involved. But it appears credible that the damage potential can be lowered “considerably” with “modest” measures. A finding by KPMG is that 70% of respondents see themselves at “low” risk of a data leak (but 82% see others at high or very high risk). If the truth lies somewhere in between, this discrepancy in perceived risk implies that organizations tend to underestimate their own risk exposure. This could lead to a structural risk because organizations overestimate their own security measures, and systematically underinvest in further protection. And indeed: KPMG point out that 85% of respondents think they are well protected, and most (89%) were not considering sizeable investment (the equivalent of a nice middle class car) into data security. If this situation has already persisted over a few years, we can assume organizations (at least in Germany) are in fact not well protected, and there should be low-hanging fruits to be obtained, i.e. sizeable increases in data security protection at relatively low cost.
- Before we are completely submerged in academic reasoning, let me come to the third point. It appears most reasonable to stipulate investment into measures decreasing the risk of internal data leaks. As I have pointed out in another blog, SAP standard software provides quite a few measures against external attacks, but is not prepared to protect against malicious insiders (currently, only UI Logging and UI Masking are available that could provide relevant functionality).
In this light, the suggestion from Wirtschaftswoche seems to be a sound one. Maybe the main message is, though, that organizations should shed their current appearance of complacency, come to a realistic notion of their risk exposure, and take appropriate measures if required.