Information Security Shortfalls

By Henry Bagdasarian

Every company concerned with protecting its information must also be concerned with information security shortfalls. Some companies possess critical information which if compromised can lead to serious consequences including trade disadvantage, tarnished image, lost customer loyalty, increased fraud costs, lawsuits, and violations of regulatory requirements. Many times, companies have good intentions but fail to properly plan or execute the information protection plan due to concerns for initial costs, required efforts, and lack of resources.

Information security shortfalls can be attributed to the lack of information security risk awareness on the part of company management at the highest levels of the corporate ladder, and, their short term concerns for the business bottom line. Some companies do not take information protection seriously because of their short sighted view of the immediate costs associated with protecting confidential information and when they show some concern for the information security risks, the concern is often tied to mandatory compliance with State and Federal security requirements as well as response to a data breach incident. As such, management efforts are limited to the bare minimum in order to comply with laws and maintain a responsible corporate image at the lowest costs possible and have less to do with concerns for protecting customer information.

Most of the time, information protection laws are introduced and forced upon businesses because companies fail to properly and collectively address the information protection risks to the society and its members. But why do companies need government intervention to do the right thing? Isn't proper protection of customer information a good business decision with long term benefits such as higher revenues due to customer loyalty and retention? Then why give the government an opportunity to introduce overlapping and incomplete laws which will cost money to comply with anyhow? Why can’t industries proactively act in the best interest of every one to address a business risk which is growing each day? Identity theft and fraud are after all growing business risks which should be properly addressed and which might require actions beyond the regulatory requirements such as educating customers. The corporate information security shortfalls may be ignored by the government for as long as these shortfalls do not affect people or other businesses. Once this line is crossed, governments and lawyers will react to protect consumers and affected parties. When companies only consider the immediate impact of information protection, they fail to properly address the long term information protection risks including lost revenues, lawsuits, government scrutiny, impact to their industry, and reactive costs of identity theft and fraud cases.

The information security shortfalls are many, however, companies which either fail to identify as many of their shortfalls or ignore their information security weaknesses are more exposed to the consequences of unprotected information.

Below is a list of information protection shortfalls:

• Low visibility information protection function – sometimes an information protection group or leadership is created but is not empowered through an adequate level of reporting level,

• Inadequate budgets for automated tools, expertise, and staffing resources,

• Unqualified management and staff,

• Lack of documented and communicated policies & procedures,

• Improperly designed & configured internal controls,

• Inconsistent monitoring of external incidents and compliance with internal policies or regulatory requirements,

• Inadequate risk assessment & gap analysis,

• Unidentified or incomplete identity protection scope,

• Decentralized & unaligned information protection function,

• Lack of internal support for information protection,

• Insufficient awareness of the risks and solutions,

• Unmanaged and blind transfer of controls to third parties,

• Exclusion of information security management from key corporate decisions and business changes such as outsourcing, process reengineering, acquisitions, and mergers,

• Inappropriate access to confidential information and related systems,

• Excessive collection or duplication, and inappropriate retention or destruction of personal data,

• Data security breach mismanagement, and

• Just focusing on information systems when dealing with information protection.

Read about information security purposes after reading information security shortfalls.