Effects of Data Loss

Just an embarrassment or is there is a risk of a collapse?

Recent Articles

Cloud Computing Effects of Data Loss Warning Signs Staff Vetting Information Theft Legal Developments Incident Response Preventing Data Leakage Social Networking Trusted Third Parties

In today's high-tech world, data is the lifeblood of any modern business. Keeping this valuable asset secure remains a constant concern, with professional criminals and malicious insiders posing an enormous threat to its safety and integrity.

The ramifications of losing that data have moved from the simply embarrassing to the truly damaging - and yet the scale of the dangers of data loss still appear to be lost on many, as Malcolm Marshall - Information Security Partner in KPMG's Risk and Compliance group - explains.

It's easy to underestimate just how damaging a data loss incident can be to a company.

It's often perceived within the ranks as nothing more than an embarrassing instance of absent-mindedness or recklessness. The individual responsible may be the subject of some jokes or light-hearted banter but, ultimately, life goes on as normal with little or no harm done.

In reality, often nothing could be further from the truth. The consumerisation of criminality means that this is no laughing matter. The significant tangible losses now stemming from data loss incidents point to the increasingly unavoidable conclusion that - sooner rather than later - an organisation (perhaps at this stage of small or medium size) will pay the ultimate price as a result of such an incident.

If that comes as something of a surprise or sounds like doom-mongering, then it's likely to be because the generally held view of this topic is coloured by what appears to be some quite skewed reporting in the media; reporting which makes data loss look embarrassing - but not dangerous.

The politician leaving his papers on the train, the senior executive leaving a memory stick in a taxi, the disc of confidential data left in a coffee shop; each one a good story, an excuse to poke fun and to express some moral outrage at such carelessness . However, hardly any of those instances actually lead to data being compromised - or falling into criminal hands. The damage is measured in minor, temporary reputational terms - but rarely anything more.

In this regard, the media is looking in the wrong place. Data loss incidents with real and serious financial implications are taking place all around the world as a dangerous blend of criminals and insiders make use of ill-gotten data for every penny or cent that it's worth.

At the heart of this lies the World Wide Web. If you know the right places to look, you can quickly find data 'shopping lists' containing confidential data of all types being offered or requested. This is crime at its consumerised best - or worst - with top dollar paid for the most profitable data sources.

Little wonder then that arguably the most dangerous threat to data security is the 'malicious insider'; the employee with the opportunity and know-how to weaken internal controls, smuggling out data for sale on the black market. Sadly, instances of malicious insider activity are on the increase as the economic pressures we all face convince more and more people to abuse and cash in on the privileged data access which they enjoy.

Faced with a problem like this, the obvious response is that companies simply need to ramp up their defences, revisit checks and controls, vet employees and engender a whistle-blowing culture. However, it's rarely that simple.

Well aware of the potential ramifications of data loss, governments across the world have scrambled to ratify new legislation and sanctions aimed at bolstering corporate defences. Such is the bewilderingly rapid pace of change in this area that many companies probably will not be fully aware of, or completely understand, their new national obligations - let alone grasp the added complications for those who operate across multiple jurisdictions.

It's no surprise that many companies have been taken aback by the professionalism and scale of the malicious insider jobs they have been exposed to. Few of them expected this. After all, their internal controls were set up on the basis of their employees being essentially honest people. The vast majority still are - but the scale of what that one 'bad apple' can achieve can often come as an alarming surprise.

Our experience tells us that many organisations have no real plan for what happens in the wake of a data loss incident. With no scope for impact assessments, and lacking in contingency plans, many victims simply flounder helplessly in the immediate aftermath, potentially making the resulting fall-out even greater and more damaging.

Companies could help their cause significantly by revisiting the prevailing culture around how they treat data. With data so available and accessible, it's easy to become somewhat laissez-faire about it. It's not that long ago, when bank statements were sent out exclusively by post, that sending a statement to the wrong person would be an immediately sack-able offence. Would such a sanction be enforced today for a comparable offence? Probably not.

One area where we are seeing companies taking action is around the practice of people taking client data with them when they change employers. Malice is rarely involved - but this remains a serious breach of data security and privacy. Such behaviour was previously commonplace but tolerance of it is now declining sharply, with financial services companies at the forefront. In fact, employers have even shown themselves willing to immediately sack new employees who try to bring confidential data across with them.

This is a good start in developing the sort of work culture in which malicious insiders will struggle to thrive - but so much more needs to be done. Five years ago, the fiscal losses resulting from data loss were miniscule. Since then, they have spiralled out of control. To date, the biggest losses have been suffered by large companies sufficiently well capitalised to absorb the impact. This may not be the case for much longer; indeed, the day when the fall-out from one data loss incident is sufficient to bankrupt a business may not be far away.

© 2010 KPMG International Cooperative ("KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.