Understanding the financial risks of cybersecurity complacency

Apr 03, 2024 Blog Article

Insufficient data sanitization leaves organizations vulnerable to identity theft and cyberattacks. This issue demands immediate action to strengthen data management and comply with regulations.

Fredrik Forslund

Fredrik Forslund As Vice President and General Manager of International Sales, Fredrik brings over 20 years of experience in IT security. This includes most recently leading Blancco's data center and cloud erasure initiatives and before that, founding SafeIT, a security software company focusing on encryption and selective data erasure. With a keen eye for streamlining corporate IT security efficiencies and maintaining compliance with data privacy legislation, he is regarded as a thought leader among customers and partners.

The risks of cybersecurity complacency and best practices

A lack of proper data sanitization and appropriate methods to manage the entire information lifecycle means those same organizations are providing bad actors with the opportunity to manufacture identity. This situation of storing as much data as possible is creating an Everest-like attack surface, riddled with vulnerabilities and entry points for bad actors.

In January 2024, IT Governance reported 4,645 publicly disclosed security incidents, accounting for a total of 29.5 billion breached records. In the first month of 2024 alone, the number of records breached exceeded the total for the whole of 2023 by a staggering 259%.

While falling foul to a data breach can have long-term consequences for trust in an organization’s security posture, and its ability to appropriately safeguard information, the financial implications are just as eye watering.

Businesses have been forced to pay out millions as a result of being penalized by regulators for failing to comply with data privacy regulations. In 2023, the Irish Data Protection Committee (DPC) imposed a historic fine of $1.2 billion against the U.S. tech company Meta for failure to comply with the European Union’s General Data Protection Regulation (GDPR).

Coupled with the cost of investigating and addressing the breach, as well as paying out for ransomware attacks, breaches are detrimental to a business’s bottom line.

A situation out of hand

Nearly half (48.8%) of C-suite and other executives expected the number and size of cyber events targeting their organizations’ accounting and financial data to increase.

Deloitte

The current state of play paints an ugly picture for existing data management practices. And a Deloitte poll released in 2023 revealed that nearly half (48.8%) of C-suite and other executives expected the number and size of cyber events targeting their organizations’ accounting and financial data to increase.

That’s not to say businesses are resting on their laurels. In fact, security is a priority for almost all organizations.

Gartner forecasts spending on information security and risk management products to increase by 14.3% in 2024 to reach more than $215 billion. But it’s not as simple as just buying a new tool or lock for sensitive information when it comes to properly protecting your organization’s perimeters.

Security is and never will be a one and done approach. Moving to the cloud and the evolution of technology means organizations are now collecting and storing too much data.

A breach isn’t the only concern

A breach isn’t always the root cause of regulatory violation that incurs hefty fines.

A Danish bank was fined $1.47 million (€1.35 million) for failing to comply with the European Union’s GDPR “right to erasure” guidelines. GDPR requires personal data be erased by service providers when services end or legal agreements expire. Yet key findings by the Danish Supervisory Authority showed that the bank “has not been able to document whether rules have been laid down for deletion and storage of personal data, or whether manual deletion of personal data has been carried out.”

While there was no breach, the bank held onto customer data longer than regulations allowed. The bank faced a challenge that many organizations encounter: A distributed network of technology systems that made it difficult to build the right functionality. The organization found itself incapable of keeping up with data destruction demands in its more than 400 individual banks.

To avoid these costs and minimize security risks, businesses need to think about the entire lifecycle of their data and IT equipment. This means developing a plan for how data will be collected, stored, processed, and disposed of, and ensuring that all equipment is properly managed throughout its lifecycle.

Fundamentally, the approach must change. Proactive management of data across the information lifecycle is critical.

Why organizations store data

Companies hold on to sensitive data for too long for many reasons—despite the well documented consequences.

For example, they may want to keep data for future use, even if they remain unsure what that use is.

Some firms also lack the policies for employees to know that some data must be destroyed.

And others simply believe that data will remain secure.

Two in five enterprise IT decision-makers admitted to wasting upwards of $100,000 per year storing useless IT hardware that contains sensitive information rather than sanitizing the data and the device.

The High Cost of Cluttered Data

This is costly for organizations, both from a financial and environmental perspective.

A Blancco research report found that two in five enterprise IT decision-makers admitted to wasting upwards of $100,000 per year storing useless IT hardware that contains sensitive information rather than sanitizing the data and the device. There’s also the cost of storing unnecessary data in the cloud or on-prem. And that has a negative impact on the environment, with finite energy resources used to power the servers that the data sits on – contributing CO2 emissions.

Instead of taking these risks, organizations need a proactive, verifiable, and certified process to permanently destroy unnecessary data.

Doing so can ensure this data is rendered inaccessible, reducing risk, maintaining customer trust, avoiding potential fines, and limiting breach exposure. Such data erasure also ensures that an organization complies with all national, regional, and market-specific regulations.

Moving towards best practices

Some steps businesses can take to improve their data management practices include:

By taking a proactive approach to data management and end-of-life IT equipment, businesses can reduce their financial costs and minimize security risks.

It’s critical to foster an improved culture of cyber hygiene, and one that is sustainable and compliant. Constantly assessing the value of data from its creation through to its retirement is essential because it allows organizations to maintain control over their data and ensure that it is being used effectively, efficiently, and in compliance with legal and regulatory requirements.

It’s vital that any organization that creates and stores data has a plan to safely dispose of it within a predefined, carefully-crafted company retention policy across all stages of the lifecycle.

The retention periods established through data classification also help to determine the suitable disposal dates. This can help organizations gain insights that would otherwise be difficult to obtain, leading to better decision-making and, ultimately, better business outcomes.

And, while it is best practice to follow standards and comply with data protection regulations, a standard is only a collection of guidelines laid down by a governing body and it does not ensure regulatory compliance.

This is even more important when working across borders, as different countries adhere to different privacy regulations. Businesses will face severe repercussions without the proper data management practices in place across the information lifecycle.

This article was originally published at Techradar.com on June 28, 2023. It has been updated to reflect changing data since publication.

You may be interested in