Infosecurity issues a statement guaranteed to shock many business owners: data breaches are inevitable. With breaches bound to happen, data security experts are beginning to offer a new take on IT risk management, focusing more on limiting the damage caused by a data breach rather than preventing the breach in the first place.
Why this shift in IT risk management? Two reasons:
- IT solutions have changed in such a way that exposes more data. With more and more data out there, there's simply more information for cyber criminals to steal. Furthermore, this data is often stored in the cloud. Add it all up and data breaches are becoming bigger and more common. In the first quarter of 2014, over 1 million breaches occurred. An average of 2 million records were compromised in each breach. That's not a data breach – it's a data hemorrhage.
- Old security doesn't work, but new security is an improvement. It's simply not enough to rely on passwords and logins to secure client data. Fortunately, newer security methods, such as encryption and two-factor authentication, have become easier to incorporate.
Of course, IT professionals still need to implement security measures that will prevent data breaches, but more can be done to store and secure data in a way that minimizes the effects of a data breach.
How Your Clients Can Manage Their Data Breach and Identity Theft Risks
Think about a small corner deli. How does the deli secure the money it makes each day? When the deli closes, the owner takes money out of the cash register and stores it in a safe or deposits it in a bank. Very little cash is kept on hand. If a criminal breaks into the deli, they'll be able to take off with as many Twinkies and Gatorades they can carry, but they won't have access to the business's cash.
IT security can work in a similar fashion. Small businesses need to encrypt their sensitive data and store their encryption keys in a separate location (i.e., another network location). If a cyber criminal breaks into your client's network, they might be able to steal the encrypted data, but without the keys, the data is useless.
Similarly, you can encourage clients to use two-factor authentication for any cloud services, bank accounts, and other accounts that have sensitive information. If the client's login credentials are compromised, hackers still won't be able to gain access.
Just as brick-and-mortar businesses have an additional level of security for when thieves break into their building, IT consultants should assume that cyber criminals can gain access to their clients’ networks.
IT Risk Management: Protect Your Business from Lawsuits
Despite the availability of these security features, only 1 percent of data breaches are "secure breaches," where criminals get access to data but are unable to use it.
One of the difficulties of IT security is that you rely on clients to implement it. You can set up secure solutions, but if your clients stop encrypting their data or use shadow IT to work around your security, a data breach can easily happen.
Because of this, you need to make sure clients understand how important it is that they implement your data security procedures (see "Your Most Powerful Anti-Breach Tool (Spoiler: It's Client Education)" for more). But it also means that you need to take extra steps to protect your business.
Just as you can't rely on one layer of security to handle a data breach, you can't rely on only one layer of IT risk management. Lawsuits can happen to the best IT consultants. You can't assume that you're immune to data breaches and client lawsuits.
That's why you need to invest in Errors and Omissions Insurance, which covers IT businesses for the cost of client lawsuits over data breaches, software errors, and other professional liabilities. See these sample insurance quotes to learn more about the cost of IT insurance.