Many companies unnecessarily expose themselves to huge risks due to security negligence. While companies in some industries continue to collect millions of consumer personal records as part of their business operations, they sometimes collect more information that they could possibly need and fail to properly address information security risks as part of their overall business risk management efforts.
News of security breaches, stolen credit cards, lost consumer personal information, and busted identity theft rings continue to flood the news media and I continue to be puzzled about the lack of interest in reported security incidents from which companies can learn and avoid similar incidents for their respective companies. Businesses can clearly observe from reported news what caused the security incident and attempt to review their own security controls in those areas. They can also observe what happens to companies that have an attitude of "this only happens to others" leading to security negligence which has a ripple effect touching other companies. Reported security incidents lead to embarrassment, huge fines and the task of improving the security controls and corporate image by spending millions. If a company has not yet faced a serious security breach, it should consider itself very lucky, however, when companies witness what happens to those businesses which neglected security and are scrutinized for their lack of actions and mismanagement of their consumer information and credit cards, why don’t they learn from those mistakes and try to prevent such incidents from happening to them? Are corporate executives not responsible for protecting shareholder value? Information security breaches can ruin a company’s reputation, cost millions to resolve, have a huge impact on business revenues and lead to lower stock prices. All of these risks can be avoided if management can recognize the information security risks to the enterprise and take proactive measures to improve their security controls. Although, proactive measures taken before an incident can also cost the company a great deal of financial burden, these costs are much lower than the costs incurred after an incident. Not only preventive security costs which should have incurred before the incident to implement security controls will also be incurred after an incident to address the gaps, additional costs related to legal, public relations and consumer notification will also add up after an incident.
Information security negligence in terms of oversight and budgets is a common occurrence although the trend is somewhat improving due to regulations and consumer demand. Managing information security risks is not different from managing any other business risk. Again, it’s very easy to see the business consequences of security negligence by reading the daily news. We are now accustomed to reading about some type of security incident in a major company or government agency on almost a daily basis, the question is who is next. No longer can business executives point the finger at the unsupported and incapacitated information security officer when a security incident occurs. Both the regulations and consumers now demand executives to protect the personal information of their clients that they collected for business purposes and that’s exactly why information security risks are business risks and must be treated as such. Information security has always been tasked with protecting business trade information and now business information includes consumer information which must also be protected.
Go to the workplace information protection section after "security negligence".