With so many controls to detect and block threats, there is a risk of organizations developing a false sense of security in the face of an increasingly hostile threat environment. In some cases, businesses may have all of the right security technology deployed, but there may be big gaps in policy and basic data-handling practices that can expose their most critical and sensitive assets to serious risk.
This caution extends even to organizations in heavily regulated industries. TD Bank is a case in point. The Toronto-based bank is in the process of notifying 260,000 U.S. account holders that their personal information may have compromised when some of the financial institution's backup tapes went missing in transit this past March.
I have no inside information on TD Bank's policies, protections, or general security practices. I would guess that, like other institutions that suffered similar data losses, TD Bank had a myriad of security technologies in place to protect online and other sensitive data. Yet either the bank itself or a third-party provider of long-term data storage had overlooked the basics of physical security in ensuring data was properly managed during the transport to an off-site location for long-term storage.
Though the bank says there is no evidence that any of the account holders' personally identifiable information (PII) contained on those tapes has been misused yet, account holders are left to wonder about future theft and fraud. And though the exact ramifications for TD Bank are uncertain, at the very least the bank suffers a very high-profile embarrassment.
Unfortunately, there are too many similar stories to call the TD Bank tape loss an isolated incident in banking or any other industry. At the heart of the problem is an all too casual reliance on security technology to safeguard all data with too little attention paid to the fundamental safe practices that need to be in place to protect critical information.
This lack of thorough data protection security practices and contingency planning is likely even more of an issue in smaller resource-constrained organizations where regulatory compliance may be less of an urgent concern. In a recent survey of small and midsize businesses by the National Cyber Security Alliance, 59 percent admitted they have no consistent plan for addressing data losses and communicating information about such a breach.
In the context of what is an increasingly virulent threat environment, this disregard for covering the basics of data security is proof that too many organizations still don't understand the very real costs of data loss. While research organizations have tried to quantify the costs of breached records, there are some intangible losses associated with reputation, customer losses, and other factors that can be almost impossible to measure.
What is clear is organizations need to be prepared, whatever their size or business, with both the right technology and the appropriate policies and data-handling practices. Simply put, organizations that let down their guards risk losing more than just the cost of the lost records, virus clean-up, or credit monitoring for the impacted customers.
Amy DeCarlo is principal analyst for security and data center services at Current Analysis