IBM recently revealed that a data breach averages €3,48 million in security costs and fines. This does not even include the financial consequences of repair damage. With good security management, you limit the chance of this. How do you organize that?
The biggest data leaks often have the smallest causes. A sheet of passwords that have been left with the printer, a work laptop on which son or daughter at home installs illegal software to their heart’s content, or an old server that has never been replaced; it can make your business quite vulnerable to cybercrime. According to the news, it hits every week.
The municipality of Lochem had to deal with a Remote Desktop Protocol attack. It cost the municipality approximately €200.000 euro. This is an extremely high amount for a small municipality with hardly any budget. And recently De Volkskrant reported, for example, that the network of hundreds of companies appeared to be open for months, including that of Shell and KLM. Incidents were not (yet) reported, but of course, you want to prevent such a thing at all times.
High repair costs
You can say that in practice a data breach costs companies an average of 10 to 20% of the annual turnover, apart from the commercial and legal aftermath and any fines imposed by the Data Protection Authority (AP). So with a turnover of 1 million euros you will lose a hundred to two hundred thousand euros. This only concerns direct costs to repair things in the field of IT. Because these are often ad hoc emergency interventions, the total cost is usually even higher because you also have to make systems future-proof.
Reason enough to close everything off properly. You can already prevent a lot of suffering by having a good overview of the entire IT landscape and data flows, physically switching off what you do not use on servers and updating all systems in time. Especially the last one is important, because due to deferred updates, many systems no longer meet the most current safety protocols, with all its consequences that comes from it.
Security management software
Prescribed by, technical measures can already be tackled well by introducing sound security management throughout the organization, including a tool to completely control and monitor its output, as our GRCcontrol modules do.
It is important to act with the potential risk to your organization in mind, so that your interventions actually matter, and therefore not indiscriminately introduce a package of measures, rules or procedures because that is simply prescribed by, for example, the IT department.Request a demo
All-over the security policy
It’s just… that doesn’t mean you’re there yet. Because about 70% of all the information leaks are caused simply by carelessness of their own employees. That is why it is even more important to make the entire organization aware of the vulnerability of the organization. This is because the potentially serious consequences of an incident can affect everyone from management to the receptionist at the desk.
Within such a policy, you should be able to point each other out to sloppinesses and negligence, without such a report having any consequences for the reporter. For this, we have developed the GRCcontrol Lite app, which is a permanent part of the GRCcontrol software.
The app is very simple and is not intertwined with difficult legal terms; you can see or notice if something is wrong and you can report this centrally in your own wording, like that one sheet of sensitive information you have seen swinging in the meeting room.
The key is that such a report can be made anonymously so that it is not about pointing the finger at the possible culprit(s), but purely about identifying a problem so that measures can be taken quickly. This anonymity and invulnerability also encourage employees to report, so you can be there in time to minimize any damage.
It’s better to have too many notifications
Of course, not every carelessness needs to ring the alarm bells. It is in fact the task of the internal security expert to assess whether action should be taken and, if so, what that is. And with that, integral risk management immediately falls into place. As an organization, you prefer to receive too many reports that you have to filter than that you do not receive any reports at all and are suddenly confronted with untold amounts of damage.
If you arrange it in the way described above, you internally create much greater support for all data and GDPR security measures that you take, and everyone becomes aware that the weakest link really is the weakest link. In this way you all bear the responsibility and, moreover, you guarantee the ‘good house-keeping’ overall data entrusted to you with regard to stakeholders, certifiers and authorities.