Although protecting the privacy and security of business information hasn't really changed -- a company's responsibility for electronic data equals the responsibility it has for paper files -- the risk for security failures, information exposure and privacy invasion have grown immensely.
The chance of in-secure data not only concerns consumers who are wary of fraud, identity theft and privacy but greatly concerns businesses, which can be held liable for unintentionally exposed information, despite best efforts to protect it.
Companies today are struggling with the challenge of effectively protecting data, which directly relates to the bottom line. A business guilty of faulty data security may lose its customers, its reputation, revenue stream and everything else.
Despite this clear connection to the business as a whole, many companies still evaluate information security based solely on technology; designing security strategies to protect the hardware, software and systems that run the business. While this is an important step in security, it should be viewed as one part of a larger security strategy.
To more effectively safeguard the information and, ultimately, the business itself, companies must take into account their own business goals. Better yet, businesses should use these goals to drive overall information security decisions.
Business Risk Assessment
One process, known as business risk assessment (BRA), can be used to evaluate and define information security needs from the top of the organization down. The process helps businesses identify critical functions (such as customer data, communications, accounting, IT infrastructure) and the potential risks associated with each function.
Once the risks are known, a plan for mitigation can be developed and the people, processes and products required for effective mitigation will become clear.