The importance of protecting business critical company information (page 1 of 2)

By Martin Lynch

These examples of malicious software - or malware - are designed to steal valuable business data but, despite their high media profile, they are just one piece in the data security jigsaw facing businesses.

Throw in ignorant or disgruntled employees, inadequate security policies, outdated security software, corporate governance and the increased use of mobile devices and you have a recipe for corporate data meltdown.

Securing critical business data has never been easy and it's getting harder every year.

Cybercrime alone is costing companies tens of billions of dollars each year. Security firm McAfee will identify an estimated 1.5 million pieces of unique malware by the end of the year, more than in the last five years combined.

Infosecurity Europe has found that 90% of organisations expect security breaches to increase in 2009.

Last month, independent security body the Information Security Forum (ISF) released its list of the top 10 security threats facing companies in the next two years, with 'criminal attacks', taking the top spot. This is followed infrastructure weaknesses, tougher statutory requirements, mobile malware, Web 2.0 vulnerabilities and outsourcing services.

'Data is now the gold, silver and diamonds of the online world, and criminals see it as a low-risk way to steal money without going anywhere near the crime scene,' said ISF chief executive, Howard Schmidt.

So what can you do when some of the biggest threats to your data exist not just outside your business but within?

security policies

First and foremost is the need to create a security policy. This not only lays down the rules about data usage for all employees, it makes you look at your data to assess what is critical and what is not.

If you don't what's 'sensitive', any security solution you employ will ultimately fail. And, most importantly, security is a business problem, not an IT problem. A security policy must be initiated by the company's board of directors and then fed down through the company.

Data security is no longer seen as an 'expensive luxury' nor an 'afterthought' in many modern companies. However, those that treat it as such end up paying a high price.

Security breaches are costly in more ways than one. Apart from damaging a company's image, especially if customer data is stolen, PriceWaterHouseCoopers (PWC) said last year that the average cost of a single malware incident rose 25%, ranging from $16,500 for SMEs to $3.3m for larger corporations.

Late last year, hackers breached the data systems of Heartland Payment Systems in the US, which processes 100 million card transaction a month from Visa and MasterCard. It has cost the firm $32m so far in fines and repayments to its customers.

Thankfully, companies are getting the security message. PWC found that 99% of businesses back up corporate data and critical systems, 98% use anti-spyware software and 97% use firewalls and email filters. Even with the global economic downturn, security is one of the very few IT sectors where spending is not being slashed.

Within the Middle East, the level of IT security used by a company - and the seriousness with which it is taken - tends to depend on the size of the business and its location.

Larger organisations have more levels of security and stronger policies because of the regulations with which they must comply (See: Network security: Multiple layers of protection).