In this on-going Data Security blog series on implementing a data security practice, we now answer a fundamental question: what is the business value of protecting data? How does a data security practice benefit a business financially?
To answer this question, let’s play a game. A mental simulation. We’ll pretend that you’re the CEO of an enterprise that collects and stores personal, sensitive data. Customer names, addresses, and birthdates. Along with payment and sales transaction information.
Of course this data is necessary to conduct business. We can’t sell without it. And our customers expect us to keep this data secure, free from abuse and exploitation. So the fun part of this game is you get to choose one or more information security strategies to protect the business from hackers.
Let’s start with some strategies you can choose from, namely:
- Require secure networking between nodes that share data within your business network.
- Deny direct access to any node storing sensitive data, forcing transactions to originate from trusted systems.
- Verify the person initiating a transaction is legitimate via multiple authentication factors, such as both a password and a secret question answer.
- Protect sensitive transaction data before storage outside of computer memory, for example in a database or file system.
Before making your selection, let’s note that these are listed in increasing order of expense. The first is the least expensive, the second is more expensive, and the last is the most expensive. Also, as CEO, you are rated on generating the most profit for your organization. So it’s important for you to keep expenses under control.
Now which of the above security information security strategies would you choose? Think about this for a moment before reading on.
If you chose anything less than all four, congratulations! You have placed the business at substantial risk for tremendous financial loss. ☹ In reality, you need all four protection strategies. Without all of them, your business runs with a high risk of loss due to a cybersecurity incident. And operating at high risk over a long enough time guarantees such a loss.
Why is this true? Well, most businesses use the first three strategies: all network connections are secured. Firewalls protect network connections except via approved channels. And most logins require multi-factor authentication.
However most businesses do not protect the data itself, which is a shame. In our previous post, “What is a Data Security Practice?” we mentioned the Verizon 2018 Data Breach Incident Report that shows about nine percent of all information security incidents result in a data breach. And if that data is not protected, the losses are staggering.
How staggering? Well, in late 2013, news broke that Target Corporation suffered a major security breach. In their 2014 annual report, Target stated this breach incurred net cumulative expenses of $162 million. Additionally, Target posted a profit of $1,971 billion in 2013 and a loss of $1,636 billion in 2014, ostensibly due to customer dissatisfaction and loss of reputation from this data breach.
I hate to pick on Target. Full disclosure: I’m a loyal Red Card user. Yet this breach remains one of the best documented in recent history, providing us with hard evidence showing the business value of protecting data itself: had Target spent less than two percent of the direct loss of this breach on implementing a data security practice, not only would the net expenses been avoided, yet also year-to-year profits would have been preserved.
This helps us answer the question, what is the business value of protecting data? Clearly one value is avoiding financial loss due to a breach. In an era where data theft occurs regularly despite the presence of multiple information security strategies, only data protection avoids the cost of expenses and the loss of profits post-breach: when thieves make off with worthless substitute data, the direct expense, mitigation cost, and reputation damage are all almost non-existent.
But is there further business value to implementing a data security practice? Is there something unique about this information security practice that has a measurable fiscal benefit? Yes, there is, and that’s the subject of our next post!
Data security and encryption