Protecting data has become a key concern but, despite the numerous examples in the press of businesses where information security has failed, we still see repeats of the same mistakes. Even some of the biggest and most high profile organisations in the world don’t seem to be able to protect their information, so why does this keep happening?
Information security is not prioritised
It is a sad fact that it’s very difficult to grasp just how fast and lethal a data breach can be until it happens to you. This is why many businesses shelve information security for a time when they are less busy, and so it slowly gets pushed down the list of ‘things to do’ and eventually ignored.
Information security is misunderstood
Small business owners who don’t have the experience or the time to full understand information security, poorly trained IT teams, unqualified security management and staff can all result in information security that is badly informed and out of date.
Resources are not available
Where there are limited resources for profit building, information security provision is often seen as less important than an initiative that will generate a tangible return on investment, and so resources are not made available. Other organisations may simply not see the value in putting money into security, or there may be few spare resources to apply.
It’s not just about technology
Many of us view information security as something that can be dealt with by installing a piece of software or other type of technology. What we don’t realise is that effective information security requires integration throughout the organisation, from management, strategy and governance, through to staff processes. One of the most significant security risks for any business is its people and no piece of technology can eliminate all the threats that come from a workforce that has not been educated as to the consequences of a data breach for the organisation in question.
Risk awareness, assessment and analysis is non-existent
The threats from a lack of information security are changing all the time and each industry has a separate set of additional considerations pertinent to its own processes and procedures. Without an understanding of risk, an ongoing study of its potential impact and a clear set of actionable steps to take to avoid it, most organisations are left exposed.
Poor monitoring and preparation
Monitoring is the only way to spot problems as soon as they arise and without it a breach could go for days without being discovered. Ongoing monitoring, a pre-prepared response process and regular reviews and updates are essential to preventing the worst kind of data breach.