How secure is your company’s sensitive data? You should ask every customer and prospect this question. It’s likely that they can rattle off several measures their organization takes to protect private information, and yet large data breaches seem to be the norm. In a 2017 study of 419 companies in 11 countries, the Ponemon Institute indicated that all of the organizations had experienced at least one breach. Further, they rated the average probability of another breach within the next 24 months to be almost 28 percent — a number that keeps creeping up.1 Clearly, we’re missing something.
Seventy-eight percent of businesses globally planned to increase spending on IT security this year,2 but what if they don’t put the money into the right measures and systems? Your customers may be overlooking three loopholes in their data security measures. Encryption, authentication and context-sensitive access — all enabled by digitization of records — are easy initiatives to implement and can have a positive impact on your customers’ ability to secure sensitive information. Your ability to tell today’s security story well can make the difference in sales and customer service, leading to better close rates and higher customer satisfaction.
Encryption always matters
Encryption technologies have been around for decades, but many companies still don’t understand how and when to apply encryption to best protect sensitive information, and it’s costing them $16 in additional expense per breached record.1 So where is the encryption loophole? Most data is protected during transmission…which is important, but it is not enough.
Data also needs to be secured when it is simply being stored, and it’s tough to protect paper records. In fact, BakerHostetler encourages us to “beware of paper records.” According to their report, 13 percent of incidents involved information contained in paper records, so they remind companies not to forget about paper when addressing information governance and security.3
Data also needs to be secured when it is simply being stored, and it’s tough to protect paper records.
Digitizing records and uploading them to an enterprise content management (ECM) system helps companies better protect information. Known as encryption at rest, the security loophole can be closed by protecting information stored in databases with technologies such as AES 256-bit encryption. Interestingly, though ranked among the most effective strategies to mitigate data threats, 451 Research says that securing data at rest ranks at the bottom for planned spending in 2018, what they call a “stunning disconnect.” Analyst Garrett Bekker continues, “Clearly, more work needs to be done to better align perceptions of effectiveness with the resources committed to support our goals.3 It’s worth a review of your customer’s systems and policies to ensure all data is fully encrypted both during transmission and while it sits at rest in company systems.
Bonus tip: Don’t forget that encryption is also a helpful tool for compliance initiatives (such as GDPR), and it can help organizations manage multi-cloud deployments.
Lazy password policies increase risk
Did you know that “123456” is still the world’s most commonly used password?4 Though we know we can do better, users continue to show disregard for strong password practices, making it the second area to invite your customers to review in their corporate data security strategy. Explain that they can no longer let users get away with lackadaisical password practices. Strong passwords should be required — and enforced — via ECM system settings that do not allow simple passwords to be created. Absolutely no shared or “team” passwords should be used to access company systems. Why? The Ponemon Institute explains that human error accounts for 28 percent of data breaches, so anything we can do with policies to protect people from their own security foibles will improve overall system security.1
In their 2018 report, PwC ranks privacy training and awareness as the highest privacy priority for businesses in the next 12 months, followed by stronger privacy policies and procedures.4 As a reseller or dealer, you can help by offering security-specific training to new customers so they implement and enforce strong policies as soon as they begin digitizing records.
Content-specific access limits records exposure
The third area of data security to review is a big problem that simply keeps getting bigger. IDC now forecasts that by 2025, the global datasphere will exceed 163 zetabytes (a trillion gigabytes), roughly 10 times the size it was in 2016.5 And we will continue to fall further behind in our ability to sort what is important, to secure everything that is sensitive, and to locate key data in our moment of need.
Big data offers another layer of data protection concern as the amount of data grows rapidly and the proliferation of cloud-based services puts data “anywhere and everywhere,” according to 451 Research. Analyst Garrett Bekker further explained, “The top choices to secure big data were stronger authentication and access controls, monitoring and encryption.”
One type of access control you should encourage users to implement is content-specific access protections. For example, do not set up user passwords that give individuals the ability to see information unrelated to their job function. Encourage your customers to enhance systems with the ability to lock down access to only those documents, projects, accounts or reports that are relevant to each employee’s day-to-day work tasks. Though more time-consuming to create, these policies can dramatically reduce the number of records compromised by a user account related breach.
The number of U.S. companies affected by data breaches went from just 24 percent in 2016 to more than 46 percent in 2017.
Building a security strategy: five levels to consider
While you’re assessing which of these three loopholes your customers may need to close, I recommend you encourage them to review their entire corporate IT security strategy. The number of U.S. companies affected by data breaches went from just 24 percent in 2016 to more than 46 percent in 2017.2 As a VAR, you offer systems and services that can help. At a minimum, encourage your customers to consider their exposure in the following five key security areas:
• Encrypted transmissions between systems.
• Encrypted email and other communications services, particularly for attached documents.
• Firewalls and IP address limiting.
• Session source persistence.
• Function-level identify verification.
• Automatic session timeout.
• Encryption at rest.
• Strong passwords and user authentication.
• Entity, group, user, project, document, function and field-level security.
• Content-specific controls that can lock down access or visibility of sensitive data based on user, account, group, document and even certain content contained within a document via redaction.
• Audit trails that track all user activity.
• Armored servers that function on an isolated network.
• Controlled building/location access.
• System monitoring, both electronic and “eyes on.”
• Redundant power supply and connectivity.
At an average cost of $3.62 million,1 most companies would prefer to avoid data breaches, and you can help. Imaging and ECM technologies offer powerful abilities to close three security loopholes that may currently remain unaddressed by your customers. Learn to point them toward enhanced encryption, powerful passwords, and context-sensitive access capabilities to further armor their organization against data threats.
1 Ponemon Institute. (June 2017). 2017 Cost of Data Breach Study. Traverse City, MI: Ponemon Institute.
2 Bekker, Garrett. (2018). 2018 Thales Data Threat Report. New York, NY: 451 Research.
3 BakerHostetler. (2016). Is Your Organization Compromise Ready? Atlanta, GA: BakerHostetler.
4 PwC. (2017). Moving forward with cybersecurity and privacy. New York, NY: PwC.
5 Reinsel, D, John Gantz, and John Rydning. (2017, April). Data Age 2025: The Evolution of Data to Life-Critical. Framingham, MA: IDC.