Organizations implement information security (IS, InfoSec) and compliance features to keep their data safe. However, getting this done right is not an easy proposition, as advancements in technology constantly pose new threats and open up new avenues for bad actors to breach cybersecurity software.
And since data exists in so many forms – including operational data, financial data, and customer and employee information – and in such huge volumes, it’s difficult for organizations to keep it secure, even though they spend millions of dollars annually to do so.
Perception vs. Reality: InfoSec Gap
Companies with 2,000 employees pay approximately $528,000 a year for InfoSec and compliance features. However, the expenses associated with implementing and managing those features can reach as high as $5.68 million annually, according to recent research conducted by information intelligence agency Cognni.
“The majority of decision-makers do not know that their organization can’t detect most risks to their information, and that IT won’t even try,” the report noted.
“This obviously leads to clear and immediate information risks that nobody even attempts to mitigate.”
Despite the enormous costs, only 4% of companies have successfully implemented all the InfoSec and compliance features that they’ve purchased, according to Cognni.
This statistic stands in stark contrast to the fact that 89% of C-level execs believe that their IT teams have deployed all the InfoSec and compliance features that their companies have paid for, revealing that there’s a major gap between perception and reality when it comes to information security, according to the report.
According to Cognni, there are three main reasons InfoSec implementations aren’t successful. Let’s take a closer look at them below.
Companies Fail To Detect Sensitive Personal Information
To protect against unauthorized access or disclosure of regulated information, organizations need to identify where that information resides. Cognni explained:
“However, many organizations possess such a narrow scope of detection that they are incapable of adequately protecting their data assets.”
Companies may not be able to detect all their sensitive personal information (SPI) because they don’t know the sources of that data or the types of documents that contain that data. In addition, even if they know what to look for, they may not have the tools or processes they need to identify, monitor, and secure their information.
Organizations that don’t properly detect and protect SPI will likely suffer privacy violations, data breaches, and serious damage to their reputations.
Many companies may find it difficult to train machine learning to detect protected health information – i.e., any health information that is protected by law, including treatment plans, test results, and medical records. However, detecting sensitive personal information, such as disciplinary hearings, employment contracts, and pay slips, proves nearly impossible for almost every organization.
It’s much harder to train machine learning to detect specific types of documents than it is to detect specific terms within the text. The result is that most types of SPI aren’t classified, monitored, or protected.
Organizations Don’t Protect Internal Confidential Information
Every organization has proprietary information and/or sensitive and confidential documents that they must often share securely inside and outside the company. However, companies that don’t protect their confidential documents will likely suffer the loss of revenue and damage to their brands, and may also have to pay massive fines for regulatory noncompliance.
Consequently, protecting confidential and sensitive information is critical to the long-term success of InfoSec initiatives. Encryption is an excellent option to keep sensitive corporate data secure.
The Cognni report made an example:
“[For example], a company in the tourism industry was breached. The hacker gained control to one of their data privileged accounts and stole gigabytes of sensitive data, including internal confidential information. This information was accessible because the company’s data was not labeled or otherwise encrypted.”
Sharing Sensitive Information Leads to Risks
Organizations’ sensitive data comes in many forms, including employee HR records, customer information, legal and financial documents, operational data, and more. The kind of information that employees need to do their jobs but shouldn’t share publicly as it could damage their companies if it was exposed.
The fact is, though, that to get their work done, employees must frequently collaborate with others inside as well as outside their organizations. And that often means they share sensitive corporate data with individuals and businesses without permission to access it.
There are two main types of such exposures: internal and external.
“Internal exposures occur when sensitive information is accessed by employees who are not trusted to have access,” the report noted.
“External exposures happen when sensitive information is shared outside of an organization to individuals or organizations that have no right to this information.”
To ensure their sensitive data is protected, organizations must understand what types of information employees are accessing and how they typically share that information. To detect these kinds of exposures effectively, companies need to establish clear policies governing which employees have permission to access which types of data and pay close attention to how and with whom employees are sharing this information.
Businesses must ensure that their employees are aware of the sensitive nature of the information they access on a day-to-day basis and understand how they should handle that information. If organizations’ sensitive corporate data ends up in the wrong hands, it could be used for fraud, identity theft, or other malicious activities.
Therefore, employees must ensure they protect this information and only share it with those who have permission to access it.
The Bottom Line
Organizations that want to ensure that their InfoSec initiatives are successful must take the necessary proactive measures to protect their sensitive corporate information and keep it out of the hands of bad actors.
Cognni suggests considering the following steps:
- Mapping critical data as most companies lack visibility into their critical data, including its existence and exposure;
- Labeling and encrypting internal confidential data;
- Classifying and labeling confidential data so employees know which information is most sensitive and educating them so they can manage and mitigate potential risks associated with the data.