For years, the top markets investing in data protection were healthcare, financial services and government. The reasons were clear:
- These companies and organizations collect, manage and exchange an endless amount of personal data – social security numbers, health records, banks accounts, etc. – and data protection is crucial to maintaining trust with clients, patients and the public.
- With so much personal data, these same companies and organizations are highly regulated, and data protection is required for regulatory compliance. See acronyms such as HIPAA and GLBA.
Some companies that support these industries have also implemented data protection, due to the recent expansion of regulatory requirements.
But without compliance concerns, other industries were not as aware of the risks to sensitive data and were not inclined to use data protection until breaches began saturating the news cycle. Even with a greater understanding of breaches and risks, companies in these other industries still haven’t flocked to data protection, and again the reasons were clear:
- Given the option to invest in tools or strategies that lead to growth or to invest in security solutions that don’t offer a clear ROI, companies (especially public ones) will lean toward the former option.
- They don’t believe that they have sensitive data worth stealing, or they don’t see themselves as a potential target.
If public companies thought they weren’t a target, yesterday proved otherwise.
A federal indictment was filed against a group that hacked into the computer networks of three newswire companies to steal confidential press releases. The group made stock trades ahead of public announcements and stole more than $30 million.
Newswire services are not the only vulnerability for public companies. Below is a list of exposures that public companies should be aware of and proactive in securing.
- Email: Financials sent to auditors, press release drafts exchanged between in-house teams and outside investor relations and public relations firms, dozens of materials sent to board members for review and approval. The amount of sensitive data exchanged in email is exhaustive. If you’re not encrypting email, it’s accessible to more people than your recipients, as Kevin Mitnick recently demonstrated in an email hack.
- Mobile Devices: Smartphones and tablets are easy connections to the office. Employees and consultants read investor relations materials, download customer lists and read “INTERNAL ONLY” documents. They do so from the train into work, in restaurants with their family and traveling on work trips or even vacations. Devices are so conveniently small that they’re easy to lose. If you aren’t protecting corporate data accessed on devices, they’re also easy targets for theft.
- File Sharing: We’ve all experienced it – a notification that our email attachment is too big to exchange through the mail server. You can’t trim off a sheet in the excel doc or pieces of a critical presentation, so you store it in an online file share, send a link and move on to other business. Too bad your employees use a free and insecure file-sharing Web site that leaves corporate data at anyone’s disposal.
- Electronic Equipment: Encryption isn’t just a good solution for email; it’s helpful in protecting laptops and USB devices that are lost too, and desktops that are vulnerable to a break-in. We know what you’re thinking: That kind of thing doesn’t happen! Thieves aren’t breaking into the office at night when nobody’s at work. Wrong, think social media, tailgating and social engineering. A criminal finds out through social media that an employee is on vacation, slips past the locked door by tagging along with another employee and sits at a computer while telling passers-by that a maintenance request was received to fix an issue while the employee was out.
- Paper Records: With the beauty of computers, who uses paper anymore? Ask that of anyone who has aggressively tapped on the error message that continues to pop-up on the printer even though there is NO PAPER JAM. Paper still exists. Sensitive data still gets printed. Invest in shredding.
- Employees: The many good-hearted employees make mistakes sometimes. The few malicious ones tend to go unnoticed. Data loss prevention takes care of both.
If you work for a public company, reviewing these exposures is a good start to protecting your corporate data and your stock. If you work for a private company, don’t be fooled into thinking you don’t have anything worth stealing.
Have other exposures you’d like to add to our list? Feel free to submit ideas in our comments section.