How much? It’s a simple question really, and one that I know the security professional often finds very difficult to answer when trying to justify mitigating risks to business. I mean what exactly is the financial impact of a virus outbreak? Or can you calculate how much the bottom line would be affected if that laptop was left in a bar?
In November 2010, the task of quantifying the financial impact of security incidents (in the UK) got a lot simpler thanks in part to the Information Commissioners Office (ICO). The ICO have now used the powers to fine granted in April 2010 with two organizations facing hefty penalties for misdirected faxes, and the loss of an unencrypted laptop.
Such fines can reach up to half a million pounds, which I suppose some organizations may see as relatively small when compared with the recent fines imposed by the FSA. However when combined with the negative publicity, and ultimately lost business then this makes a compelling case to ensure that security budgets reflect the changing regulatory landscape.
According to McAfee’s Simon Hunt (VP and Chief Technology Officer, Endpoint Security ) “It’s often forgotten that around 30% of reported data breaches are caused accidentally by insiders – people trying to do their job, trying to solve problems, but just inadvertently making a mistake and disclosing information. The Hertfordshire County Council incident for example was just a case of a mistaken fax number, a simple mistake but tremendously embarrassing, costly, and damaging for the victim.”
“Even though the risk of unencrypted data on mobile devices like laptops has been understood for over a decade, we still find examples where very sensitive information is on unprotected devices. The A4e case was particularly damaging as it wasn’t “secret sauce”, it was very sensitive and reveling personal information. Companies need to remember that they are only the custodians of personal information – they are not the owners, we, the individuals are, and we should be demanding they take good care of it, either by keeping it under lock and key, or by using commonly available technological measures to secure it.”
Although both organizations reported the incidents to the ICO, there will be some people who will be tempted to simply not report future incidents for fear of penalties, but I would suggest that the likelihood of a member of public (who may have inadvertently received a misdirected fax for example) not raising this is slim. So a more cost effective, and operationally efficient approach will be to implement an Information Security program that reduces the risk of such incidents happening again. Ultimately I believe that the cost of managing information risk is not prohibitive, we often talk about security being a business enabler and it really can be. One of the first steps I would suggest is reading this excellent blog by my colleague Matt Fairbanks.