The Wall Street Journal reports that 61 percent of surveyed IT professionals say that their organization has increased its data security budget since the high profile data breach at Target in late 2013. That's great news, right?
Certainly, this means there could be more money for IT upgrades and your business will hopefully see a bigger slice of the pie. But there are some reasons to be concerned about the way businesses are spending this money.
Remember that as an IT consultant, your job is to make sure that your clients spend their dollars in the most effective way to shore up their security. If their security upgrades fail to stop a cyber attack, a client could file a lawsuit against you, saying that you didn't advise them properly on their data security.
Because augmented IT budgets could increase your cyber liabilities, let's take a look at how businesses are spending their IT dollars and what pitfalls you'll need to avoid.
Mistakes Your Clients Make When Allocating IT Budgets
Despite the fact that organizations are pumping money into cyber security, not enough resources are being put into data management. And, honestly, many non-tech people probably don't even know what data management is.
Data management strategies argue that the best way to protect sensitive data is to…
- Minimize the amount of private data you have.
- Delete old, unnecessary data.
- Limit access to data and prevent "access creep."
- Encrypt private data.
That sounds simple enough, but it gets complicated to implement data management across entire organizations – especially when businesses are looking to keep troves of customer data to use for big data analytics.
So instead of data management, what does a business do? When the typical business plans to increase its data security, they'll want to put more resources into "blocking" malware with an antivirus program, firewalls, and other defense software. However, as we reported in "Survey: Most Companies Still Counting Too Much on Antivirus Software," IT professionals argue that these strategies aren't really effective. In fact, Target had one of the most sophisticated anti-malware programs on the market and it still flubbed its security.
A data security policy will have to include data management strategies that limit your client's cyber liability by…
- Reducing the amount of sensitive data they have.
- Storing data more securely.
- Minimizing access to it.
The Takeaway: Bigger Security Budgets Are Good, but Use Them Wisely
Imagine this scenario: your client increases their security budget by 25 percent. Six months later, their company is hit with a data breach that exposes their customers' payment information.
While the client invested in anti-malware programs, the cyber criminals were able to break into the company using a run-of-the-mill email phishing attack that stole login credentials from employees. The client is furious and doesn't understand how they were hacked after they poured more resources into data security. Why didn't their anti-malware program prevent the attack?
This scenario shows two dangers:
- Clients overestimate the strength of their anti-malware programs (and often don't understand that there are more threats than just malware).
- After spending more money on security, clients will have higher expectations.
While it's great that clients are spending more on data security, it only means that they're more likely to file a lawsuit against their IT contractor if anything goes wrong. If your clients are looking to increase their data security budgets in 2015, instruct them to invest wisely and ensure your business is protected from the cost of a data breach lawsuit.
To learn more about covering your business's cyber liabilities, read about Professional Liability Insurance for IT consultants.