Data Breach: The Downside of Data Loss for SMBs

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.forbes.com/sites/susannahbreslin/2013/12/20/what-porn-stars-do/

Preferred business practices dictate cybersecurity, but data protection
methodologies are a requirement for endpoint devices that contain customer
data to protect against the possibility of a data breach. Customer data is
among the most precious of all data within a company, especially if that
data contains personally identifiable information (PII). Unfortunately, a
substantial number of small to medium businesses (SMBs) in the United
States, approximately 14 percent, have chosen not to implement any security
measures, and only 9 percent use endpoint security techniques, according to
a recent "Small Business Cyber Security Survey" by McAfee and Office Depot.
With numbers such as these, it should come as no surprise that a great many
SMBs are ripe for a data breach.

Protect the Endpoint

More often than not, endpoint security solutions are viewed as a luxury, an
unnecessary operational expense by SMBs. Of course, it is unnecessary until
the price of losing customer data is calculated. The situation is analogous
to a fisherman setting out to sea without an individual flotation device.
At sea without a life jacket? It should never happen. Yet the McAfee and
Office Depot survey indicate that 91 percent of SMB companies surveyed are
doing just that with respect to protecting company data on endpoint
devices. SMBs are rolling the dice in the hope that the device will not be
compromised or lost.

Unprotected Endpoint

The risk posed by allowing unprotected endpoint devices within the SMB
becomes an actual threat when any of those devices go missing, be it due to
theft, accident or carelessness. When a device goes missing, a fundamental
breach of the company's security occurs, and if customers' PII are stored
on the device in an unprotected manner, a material breach has also taken
place. It is instructive to consider the incident that compromised over
9,000 Milwaukee city employees, according to the Journal Sentinel. A flash
drive containing the names, addresses, dates of birth and social security
numbers of approximately 6,000 employees and 3,000 spouses and domestic
partners was lost when the automobile of an employee of a city vendor was
stolen. The affected individuals are now faced with the very real threat of
identity theft and the city and its vendor with the unexpected cost of the
post-breach notification and operational adjustments.

Protected Endpoint

The cost to IT of protecting the endpoint would have been negligible in
comparison with the cost of the data breach. This leaves every SMB with a
clear path to follow: If company or customer data is to be allowed on
endpoint devices, then the company's investment to protect that data is a
necessity. The IT department's investment in the security solution
preserves not only the data but also the reputation of the company and its
brand. If a protected device goes missing, it is not a data breach; it is a
loss of a device that contains protected data.

Every business regardless of size has company data, some of which may
include customer data. Regardless of whether the company issues the smart
phone, laptop or other device to an employee or the company has embraced
bring-your-own-device (BYOD), preferred IT security practice requires the
protection of endpoint devices.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.