Introduction

Your organization is a custodian of data about your customers, staff and others you do business with, and it is your responsibility to deal with the data in a manner that demonstrates integrity. We have seen, in Chapter 2, that where data protection legislation exists, there is a legal requirement to safeguard personal data. In Chapter 3, we have seen that the data provided by a person in one context may be enhanced or enriched by judicious use of data from other sources. This ‘value-added’, higher-quality data set is an even bigger asset than what we started with – through synergy it has become more than the sum of its parts and certainly needs the same level of protection.

The Ponemon Institute's eighth annual study into the cost of a data breach in almost 300 companies, nine countries and 16 industries revealed that in 2012, this amounted to an average of US$136 per compromised customer record, a rise from the 2011 figure of US$130 per record (Ponemon Institute, 2013). The costs to German and US organizations, however, were higher, at US$199 and US$188, respectively. Other findings of interest were that data breaches as a result of malicious and criminal attacks and botnets were more costly, and that breaches due to the negligence of insiders accounted for 35% of breaches, malicious attacks being responsible for 37%, and ‘system glitches’ – IT and business process failures – for the remainder.

There are multiple threats to an organization's data, and the levels of threat behaviour facilitated by the internet, in particular, mean that taking precautions ought to be standard practice, rather than a sign of excessive caution. When an automated scanning program can check millions of IP addresses for vulnerabilities in less time than it takes to describe what it is doing, the responsible way for an organization to act is to erect its defences first, and then build behind them. Prevention rather than cure is what we must aim for, because breaches of security are irreversible, as regards the data that are lost, leaked or damaged.

It has become conventional to divide threats into internal threats, which originate within the organization, and external threats, which come from outside the organization.