Resource Articles Back to Article List

Information Security Risks Affect All Organizations

As published in the March 2010 issue of The Greater Lansing Business Monthly.

You may have heard the recent horror stories concerning the theft or breach of confidential data. Laptops and networks containing Social Security numbers, bank account numbers, credit card numbers, and other sensitive data have been exposed and compromised.

It’s obvious information security is a serious matter for financial institutions, insurance companies, healthcare providers and governmental entities. What you may not be aware of is that all organizations, regardless of their size, need to address information security.

Consider this: If your organization has employees, collects payment information or keeps accounting records, your organization is maintaining sensitive, confidential data electronically or in physical paper form. Not only is the public image of your business, and consequently your organization’s existence itself, at risk if these data are compromised, legal issues could arise under both federal and Michigan statutes, including the Social Security Number Privacy Act.
The consequences made possible by vulnerabilities in data security are threats to all organizations. Individuals maliciously accessing human resource files can wreak havoc on the credit and good names of your employees. Too often, embezzlement is effectively hidden by the creation of fictitious or doctored transactions within your accounting system. Bank account and investment information in the hands of the wrong person could lead to wire transfers draining your cash reserves.

Also, the legal and administrative costs associated with notification of a breach could be devastating. Even more alarming, the fast-moving pace of consumer technology development is opening new gateways for data leaks as the usage of smart phones and Web-accessible devices grows. Actions should be taken by everyone to manage these increasing risks.

A basic approach for any organization interested in securing its data involves several steps.

First, the types of data your organization maintains should be documented and classified.

Second, threats to the security and integrity of these data should be documented along with a risk assessment for those threats.

Third, based on this risk assessment and an objective cost benefit analysis, appropriate controls, such as policies and procedures, should be implemented to safeguard the data. For example, technology can provide automated controls alongside manual controls carried out by staff. Lastly, monitor your organization’s adherence to its information security policies and procedures, and update your information asset list, risk assessment and controls to compensate for changes or new risks.

Unfortunately, there are several common barriers to effectively implementing an information security program. It’s critical to recognize these efforts are a minor investment compared to the potential expense of a data breach. However, sometimes those who are in the position to recognize information security vulnerabilities do not have enough authority within an organization or broad enough experience with information security to effectively convey to senior management the seriousness of the risks and potential consequences. Other demands on the time and efforts of senior management may take precedence over the unclear and complex data security issues.

Lastly, an effective information security system requires the right mix of people, processes and tools. A weakness at any level of the system undermines the entire effort, such as when a well-meaning employee disregards company policy and opens a server room door.

This is where independent, experienced security professionals and information system auditors can benefit your organization. These professionals can objectively assess your organization’s entire information security system, including the people, processes and tools currently in place.

Information system auditors are uniquely qualified to monitor the ongoing effectiveness of your security system. They can utilize their broad experience with data security to help owners and senior executives understand the issues and provide practical options and solutions to address your security vulnerabilities.

Whether your organization is new to dealing with the risks of information security or you already have a solid system in place, maintaining confidence in your data’s protection might be one of the most important investments you can make.

A continuous and focused effort to safeguard your information could be what keeps your organization out of the media and open for business.