“People still think physical and information security are different – they’re not. They’re the exact same thing,” – Joshua Marpet, Physical and Logical Security Consultant
Whether you’re a small business, big business or start-up today’s economy has caused everyone to look more closely at the bottom line. And when budgets are crunched, security – whether it’s physical or information – is often a seemingly easy way to cut corners.
Unfortunately cutting corners when it comes to security may pose big risks – including potential lawsuits, legal ramifications and reputation loss.
“The idea is basically you have a three legged stool when you’re looking at information security, and the three legged stool falls when one of those legs breaks – and that is personnel security, which ClearanceJobs focuses on with cleared people, physical security, and computer security – all of those have to work together in some sort of blend to mitigate risks,” said Gal Shpantzer, an information security and risk management consultant who spoke before an audience at a recent panel on Physical & Information Security for Start-Ups, hosted by ClearanceJobs.com.
If your company does staffing, or you happen to be in human resources, you may be tempted to think information security doesn’t apply to you. Experts are quick to point out that any company working with any kind of data has legal and regulatory obligations to protect what it collects. That includes personnel data or information you may keep on employees.
Understanding the type of data you have is the first step, said Shpantzer. Next comes identifying who has access to what, and establishing the proper controls around the information you possess.
“Whether you have 3,000 desktops or 30 desktops understand what those desktops are accessing, what’s being stored on them; is there a particular piece of intellectual property, source code, enabling information if you’re in pharmaceutical development – whatever that may be,” said Shpantzer.
You shouldn’t be treating employee information, proprietary information or intellectual property the same way you do all of the other data your company accumulates – information security programs should have a hierarchy, including a clear distinction as to what you host publicly online and what you consider your company’s crown jewels.
When it comes to the financial implications for an information security breach, the crown jewels illustration is pretty close to the reality. Under the Fair Credit Reporting Act, companies are charged $1,000 per incident, said Deborah Salons, an attorney and Certified Information Privacy Professional, who also spoke on ClearanceJobs’ information security panel. Meaning if you lose a list with 2,000 names you’re looking at company crippling fines, with each piece of data lost incurring additional cost. Not to include the private lawsuits from individuals, criminal penalties and the PR nightmare, added Salons.
For U.S. based cleared companies the legal issues become even more complex when it comes to cloud storage. Few companies stop and consider where information is actually being stored when they migrate to the cloud – your company’s data could be overseas without your even knowing it. “You can delegate, but you can’t abdicate responsibility” said Tom Stamulis, Regional Director, East and Central U.S., Terremark (A Verizon Company). “ If there’s a breach, it will be your name, because it’s your breach. “
Feeling overwhelmed? The good news is the government is offering more information security resources than ever before. The Federal Communications Commission offers the Cyber Planner 2.0. Salons cited it as an excellent resource, walking individuals step by step through creating a cybersecurity plan, and producing a very polished, actionable product to aid start-ups and small businesses.
The Federal Trade Commission also offers a number of resources including a guide on Protecting Personal Information.
Keeping user and employee data secure is important, and it’s one place where no business should cut corners. Fortunately, it doesn’t require huge costs – simply due diligence, and time.
Lindy Kyzer is the editor of ClearanceJobs.com. She loves cybersecurity, social media, and the U.S. military. Have a conference, tip, or story idea to share? Email firstname.lastname@example.org.