There is a common saying that those who refuse to confront or acknowledge a problem are simply burying their head in the sand, like an ostrich. Apparently, a myth exists that ostriches stick their head in the sand when facing attacks from predators. Origins of this myth date back as far back as the Bible. For the record, ostriches do not really do this — they just hide.
What does this have to do with data security, you ask? Plenty.
Most companies are well aware of the ever increasing threats posed by cybersecurity issues. Given the resources and constant vigilance needed to effectively face these dangers, it is no wonder that many companies opt for the “hope for the best” approach and bury their heads in the sand. Hope is not an effective strategy, and risk denial is not risk avoidance.
Does an effective strategy exist? What does it look like? These are simple questions with very complex answers.
Companies can win the battle for data security. The road to victory starts by engaging in a real conversation and acknowledging that a problem really does exist. That problem is the fact that very few companies want to accept that significant risk really does exist. Once a company can get over that first step — acceptance — it has taken a huge leap to victory.
When performing gap analysis in this area, we are often confronted with the ostrich myth. Clients often say, “there are so many issues to organize and resolve.” The prospect of focusing on cybersecurity issues distracts business leaders’ focus from the core of business production, revenue and key initiatives. This approach results in two possible outcomes: self-assurance that a data breach cannot happen; or the notion that because cybersecurity is simply too complex or expensive, one’s business is simply doing what it can afford to do and nothing more.
A proactive approach begins with a gap analysis. Bring together legal, technology and operational teams to dig into your operations to identify, and face, weaknesses. Next, adopt or implement reasonable and appropriate data security policies and procedures governing the collection, maintenance and storage of data. The key words here are “reasonable” and “appropriate.” The expectation is that a business will implement controls that are appropriate to its size and complexity, the nature and scope of its business activities, and the sensitivity of the information and data it may collect or store.
The next step is a governance process. The highest level of the organization must direct and prioritize data security efforts. It is this level of a business that can be held personally liable for failures. Creation of a governance structure, providing for tangible objectives, staff and vendor accountability, and effective management and implementation is the key to success in the long run.
A formal data security plan is a complex set of policies and procedures. It should protect the business’ proprietary information and safeguard consumer-related data and documents. If consumer information is an issue, then the plan must be reasonably designed to protect the confidentiality, integrity and availability of sensitive information and contain administrative, technical and physical safeguards.
Each business and industry is different. The legal guidelines appropriate to one business may not apply to another. However, the threat of loss is grave and an effective and proactive plan is necessary. The plan itself must account for regular security assessments and effective employee training and awareness. Testing and training will ensure that the plan put in place today will be effective tomorrow and into the future. Failure may result in a shut down or loss of use of business systems, theft of data, hackers demanding ransom for restoration of use, and civil and criminal lawsuits, penalties and regulatory enforcement actions.
Effective data security requires focus and commitment. There are predators plotting attacks right now. Acting like the proverbial ostrich will not ward them off. Victory requires time and perpetual commitment to these principles. Security problems cannot be resolved overnight. Still, the first step is to acknowledge that this is a fight and that the battle can only be won through careful analysis and methodical preparation.