• September 14, 2023
  • Catagory Security

SMBs Must Confront Cybersecurity Challenges Head On

By : Justin Folkerts

If you’re a small or medium-sized business (SMB), you’re a prime target for threat actors who want to poke holes in your cybersecurity.

While enterprises are valuable targets due to the wealth of data they transmit and store, today’s digital landscape means size doesn’t matter – every business is storing information that is worth stealing. However, SMBs face greater resource constraints, not only in terms of cybersecurity, but IT in general, even though they still handle plenty of sensitive customer data, including financial and health information, as well as valuable intellectual property.

If you’re an SMB, you probably work with bigger companies, which means you’re part of a supply chain. And while you think you’re too small to matter, you can be a vector for bad actors to attack your business partners.

Today’s cybersecurity landscape means SMBs must be aware of the common threats to their business, as well as understand how to contribute to a more secure supply chain.

What SMBs are up against

Viruses and malware remain the most common threats to your cybersecurity. Keep in mind it’s not only external threats that SMBs must be mindful of – your employees can help to open the door to threats through human error by opening a suspicious email, clicking on an attachment, or not taking more care to select unique, strong passwords.

Insiders may even intentionally compromise your cybersecurity by using their credentials to access data they shouldn’t. Even an honest mistake by an employee can open the door to sensitive information, leading to a breach or even a ransomware attack that cripples your operations and damages your reputation. Social engineering in the form of phishing attacks trick employees into divulging information or allowing unauthorized access to applications and systems.

The most common approach threat actors use to disrupt business and cause SMBs downtime are Distributed Denial of Service (DDoS) attacks, which flood your web servers with fake requests as to render them useless to everyone, including your employees and your customers.

As new technology emerges, the cybercriminals find new opportunities. As SMBs move the cloud, so do threat actors by “cloud jacking” – they target vulnerabilities in the cloud infrastructure. Hackers are also using the latest technologies to launch their attacks, such as networks of botnets to distribute spam and steal data. Advances in artificial intelligence and deepfake technology make it even easier for SMBs to be tricked by fake content that might cause an employee to share privileged information or their access credentials.

No matter the technique, a data breach can lead to a disruption of your business or downtime – both of which always lead to lost revenue.

Cybersecurity essentials

It’s easy for SMBs to get overwhelmed by today’s cybersecurity requirements, but you can better protect your business from the many threats lurking in the digital landscape.

  • Assess: You need to know where your vulnerabilities are, especially when it comes to remote work, which should be enabled by a Virtual Private Network (VPN).
  • Educate: Your employees play a key role in securing your organizations through awareness training and good security hygiene, including the use of strong passwords, multi-factor authentication (MFA), and access management technologies.
  • Update and patch: Make sure you are using anti-virus software and keeping it updated, as well as applying any patches to applications and systems.
  • Secure your networks: Aside from VPNs, be sure deploy robust firewall security along and intrusion detection systems, and regular network monitoring.
  • Back up critical data: It’s not a question of if a disruption will occur, but when. Being able to restore data allows you to recover from an attack quickly and avoid downtime.

The most important thing to remember is that your cybersecurity posture is never assured – you must continue to run regular audits, as well as update incident response and disaster recovery plans.

Given the resource constraints commonly faced by SMBs, consider turning to a managed service provider with cybersecurity expertise. They can help you conduct an assessment and maintain a state of ongoing readiness that allows you to handle the whatever threat comes your way.

  • July 26, 2023
  • Catagory Security

Your Next Data Breach is Going to Be More Expensive

By : Sanjeev Spolia

The cost of a data breach is going up.

That’s according to IBM’s annual survey that found the average breach cost of 553 organizations studied over the course of 12 months ending March 30, 2023, tallied US$4.45 million – a 2.3 per cent increase compared to a year earlier. It’s also a whopping 15.3 per cent since IBM’s 2020 report. (Research for the study was conducted by the Ponemon Institute.)

Although Canadian companies are faring better than last year with the cost of data breaches at the 28 organizations included in the study dropping a bit from C$7 million to $6.9 million, Canada was the geography with the third highest breach costs behind the U.S., which was first, and a grouping of Middle East countries, which placed second.

It’s important to note these costs don’t include any ransomware or extortion payments organizations may have made, or the cost to recover from an incident.

As reported by IT World Canada, Canada’s breaches were more expensive – double that of Australia, for example. In the article, a partner in IBM Canada’s security consulting and delivery practice speculated that many of the Canadian organizations included the study were regulated industries, where recovery costs are higher, while noting the overall trend is heading in the wrong direction.

A notable data point in the IBM study is that two thirds of breaches were report by an outsourced / third party rather than their own security team discovering the breach. This indicates many Canadian organizations don’t have the right level of monitoring and insights to provide the network visibility necessary to prevent and mitigate breaches.

Another interesting stat was that organizations with high DevSecOps adoption had less costlier data breaches. Aside from getting your application development teams to “shift left” with DevSecOps, the best strategies for lowering the average cost a data breach according to the IBM study were employee awareness training, a regularly tested incident response plan, and leveraging artificial intelligence or machine learning insights.

IBM recommends following the “basics” as they are most effective tools for preventing data breaches – user threat intelligence, robust identity and access management, employee awareness training and setting up a zero-trust IT architecture, as well as leveraging AI and automation to reduce the burden on security teams. These should be complemented by a strong incident response plan, so the organization is ready to mitigate and recover quickly in the event of a breach.

Given the dynamic landscape security teams must navigate, as well as the pressure to retain talent, organizations should consider looking to a managed service provider – they can help to evaluate your current security posture and provide ongoing staff and resources to complement your IT staff.

  • March 28, 2023
  • Catagory Human Resources

Employee Burnout Threatens Cybersecurity Resilience

By : Justin Folkerts

Attracting IT talent, especially cybersecurity experts, remains a challenge even amid layoffs, but so is keeping them. The last thing you want to do is contribute to employee burnout.

It’s just as big a threat as the growing number of cybersecurity threats as your IT teams struggle to do more with less after a tumultuous three years due to the waning pandemic. Employees of all stripes are experiencing burnout, which as defined by the World Health Organization (WHO) is the result of chronic workplace stress that has not been successfully managed.

The solution can be found in the WHO definition; employee burnout can be managed, even when it affects your cybersecurity staff.

Detect the signs of employee burnout

In the same way you want your cybersecurity to be proactive and detect anomalies before they become a major incident, employee burnout can not only be managed, but also prevented so that IT teams can remain engaged and avoid exhaustion.

For cybersecurity professionals in particular, workplace stress stems from the nature of the work – their environments are always active because the organization is constantly under threat. It means handling alerts throughout out the day to prevent and mitigate threats while also ensuring that long-term strategic security initiatives are met. Just making sure the security operation center is adequately staffed off hours causes stress and contributes to employee burnout. You need to make sure you have people available on-call while also giving everyone enough time to wind down if you’re to prevent burnout.

At the end of the day, employee burnout within your cybersecurity team can pose just as big a risk to your security posture as threat actors trying to compromise your IT infrastructure.

Cybersecurity resilience depends on people

Just like potential security risks, employee burnout has warning signs. Chief among them is the phenomenon of quiet quitting – that’s when staff experience depersonalization and increased cynicism. They will also feel emotionally depleted and feel as though they’re being less effective.

Employee burnout can affect the entire cybersecurity team, regardless of their role, and lead to actual quitting. A single, small incident can be the tipping point after prolonged periods of stress on the job – cybersecurity staff are constantly in “fight or flight” mode, and it’s ultimately unsustainable.

Just as you mitigate cybersecurity vulnerabilities, you want to prevent employee burnout – prevention is worth a pound of cure. You need to build up psychological resilience among your team by ensuring your team is confident they can handle what comes there way and being able to adapt to changing situations.

And no matter their job role, your employees need to have a clear sense of purpose as well as adequate social support – trust and relationships are especially important for cybersecurity team if they are to avoid burnout. It also started from the top – if you’re leading your IT staff or a security team, you need to take care of yourself – if you’re depleted, everyone else will feed off of that. Building up your own psychological resilience and instilling the ability in others will boost morale – preventing employee burnout is both about personal responsibility and team effort.

Technology does play a role, too. If your cybersecurity team doesn’t feel they have the right tools for the job, it will contribute to their disengagement. And if they feel they’re understaffed and doing more than their fair share, they’re going to look for greener pastures rather than work harder to compensate for the staffing shortage.

Exploiting automation as much as possible will allow your employees to focus on more rewarding activities and will reduce their stress – they will feel as though they are spending time on projects that that truly matter. Turning to a managed service provider who can take on some responsibilities and complement your cybersecurity team can also alleviate the pressure and further reduce the likelihood of employee burnout.

  • January 17, 2023
  • Catagory remote work

Remember the basics of remote work security

By : Justin Folkerts

At the risk of sounding like a broken record, remote work isn’t going away, so you need always be mindful of some core security measures that protects what looks to be a perpetual hybrid workplace.

These measures are both technical and cultural in nature – your people are just as critical as the security technology you deploy to accommodate remote work.

The most obvious step you can take on the technology front is to regularly update and monitor your network security. This includes applying the latest security patches and upgrades to all devices, including updates to operating systems as well as keeping your antivirus and antimalware programs current. Don’t forget hardware updates such as those for your routers and switches, either.

A strong technology foundation is critical to remote work security and should also include secure VPN access for any employee working outside the office, as well as multi-factor authentication (MFA), both of which lay the groundwork for creating a Zero Trust environment. Also essential are tools for monitoring your environment so you have a complete understanding of what’s connected to your infrastructure, whether it’s devices that support remote work or other devices and services, including internet of things (IoT) devices. You should be able to interrogate the network so you can know for certain how every connected device behaves at the packet level.

In the era of remote work, MFA is a must have, and illustrates how critical the intersection of technology and people is to security. Employing MFA recognizes that even the best passwords can be broken and that the users who select and use them make mistakes. This is where employee education comes into play so all users, remote or otherwise, understand good password etiquette and the benefits of adding another layer of security with MFA.

User education is also the best defence against phishing emails, which remain the most common threat to your sensitive data. The upheaval of the pandemic has made for good cover for threat actors who send convincing emails that open the door to malware and ransomware.

The culture of your organization has always been critical for maintaining robust security, and the sudden switch to remote work was a stark reminder of that. Even as many employees return to the office, it’s a great time to remind your entire team that remote work requires the same level of attention to best practices around storing and security mission critical data.

The return to the office should also be seen as an opportunity to take another look at your entire security strategy – consider tapping into the expertise of a managed service provider to help you re-evaluate and refresh your technology and best practices.

  • December 15, 2022
  • Catagory cybersecurity

How Cybersecurity is Shaping Up for 2023

By : Justin Folkerts

Remote work during the pandemic and the current dynamic of hybrid workplaces has had a strong impact on how you must manage cybersecurity. Remote work isn’t going away, while other longstanding trends as well as new realities will affect cybersecurity in 2023.

Ransomware remains a major threat

Expect ransomware attacks to continue to be a factor in your cybersecurity planning, as threat actors move from encrypting files to targeting third-party cloud providers while continuing to use aggressive, high-pressure tactics to extort victims, including data-encrypting malware and more novel infiltration approaches.

Global geopolitics will affect your business

The ongoing conflict in Europe will mean some of those ransomware threats will come from Russia. Overall, 2023 is going to begin with a great deal of uncertainly and tension, with more state-sponsored threat actors looking to destabilize global economies and specific industry sectors such as logistics and shipping, energy, semiconductors, and financial services.

Zero Trust adoption will grow

With more workloads being moved to the cloud, a Zero Trust approach to security will become more compelling and necessary in 2023, transforming how you secure your infrastructure, including network penetration testing.

Automation will increase, too

It’s near impossible for organizations of any size regardless of budget to keep up with the volume of threats, which means 2023 will see even more automated cybersecurity, enabled by artificial intelligence (AI) and machine learning. The downside is the bad guys can leverage automation and AI, too, which means organizations will need to take a more active approach to cybersecurity.

Watch out for bots

Speaking of automated bad guys, be prepared for more bot activity in 2023, which can automate and expand attacks as perpetrators rent out IP addresses to make it difficult to track them.

Your own IT is a threat

Between shadow IT and the proliferation of endpoints either due to remote work or internet of things (IoT), there’s no shortage of attack surfaces for threat actors in 2023. If your endpoints aren’t properly configured and you’re not keeping a handle on shadow IT, your cybersecurity posture will be drastically weakened.

You people can still be a problem

Even with all the right technology in place, the biggest threat cybersecurity in 2023 will continue to be your own people, whether it’s by accident or due to insider threats from unhappy or former employees. Training combined with a Zero Trust approach will mitigate risk to your business.

What won’t change in 2023 is that cybersecurity isn’t something most organizations can handle on their own, so if you haven’t already, make it the year you see how a managed service provider can help evaluate and shore up your security posture.

  • August 31, 2022
  • Catagory cybersecurity

Insurance not a substitute for good cybersecurity

By : Justin Folkerts

You don’t use auto insurance as an excuse to drive recklessly, so why would you cut corners on cybersecurity because you have ransomware insurance?

With ransomware attacks doubling in 2021 compared to the previous year – due in large part to the massive shift to remote work – the average cost of a data breach grew to record levels by more than 10% in 2021 as threat actors took advantage of a broader attack surface that resulted from a hybrid work environment.

Much of the costs of these breaches were covered by insurance, including ransom payments, but cybersecurity insurance providers are becoming more selective with their coverage as payouts have increased – qualification processes are more rigorous and the threshold for a payout is getting higher.

If you were depending on cybersecurity insurance without a data protection strategy, you need to seriously rethink how you implement security in your organization.

As ransomware attacks rise, so do premiums

For starters, the number of ransomware attacks is only going to get higher as more and more threat actors with a wide array of experience and expertise look to make money off data breaches – cybersecurity insurance is not going to be enough to save your business.

It’s not that you should cancel your insurance – you should be prepared to pay more – but you must also have people, processes, and technology in place to secure your business and sensitive customer data. Making an insurance claim should be a last resort – no matter how much you pay for it, it won’t bring your data back if you fall victim to a successful attack.

You really don’t want to be paying the ransom, even though many companies go that route – that only emboldens the bad guys to keep at it. Some insurance companies are no longer even covering ransomware payouts. If cybersecurity insurance premiums are going up and not covering what they used to, it’s time to implement better security practices – prevention is much more affordable in the long run.

Your MSP can help you up your security game

Cybersecurity awareness should be something that touches everyone in your organization, including the understanding that a data breach costs the business money – and your insurance provider expects you to raise your game to take a more proactive stance with security.

Even if you’ve put the effort into your cybersecurity, keeping it current and staying on top of all the threats can be daunting. With so many systems, endpoints and users, visibility is you biggest challenge, and understanding the threats, attack surfaces and vulnerabilities requires a great deal of time and resources, including skilled people.

That’s why you should turn to your managed service provider for guidance – they’ve got to contend with rising insurance premiums too and know that prevention is better than getting the cost of a ransomware attack covered. They already have visibility into your infrastructure and can help you put all the people, processes, and technology in place so you can qualify for cybersecurity insurance but hopefully never have to use it.

  • March 17, 2022
  • Catagory cybersecurity

 Key Cybersecurity Trends for 2022

By : Justin Folkerts

As we wrap up the first quarter of the year, some trends are emerging around cybersecurity that affect businesses of all sizes.

Not surprisingly, these trends are being driven by the impact of the pandemic, as remote work continues, and organizations look to establish a new normal of flexible work hours and hybrid teams.

Cybersecurity is getting more expensive

The cost of securing the organization is going up, and so is the cost of not having robust security. According to a report released last year, the global average cost of a data breach surpassed 4 million U.S. dollars. These costs are attributable to lost revenue and lost customers, fines for non-compliance, and even ransomware payouts. For larger organizations, it’s the cost of doing business, but for smaller ones, it can mean the end. Investing in cybersecurity is also expensive, but it’s an investment that pays off in the long run.

People are the deciding factor

Social engineering remains a preferred tactic of bad actors when it comes to gaining access to systems, stealing data, and disrupting systems. Ransomware continues to be one of the most popular types of attacks, and remote work has made it easier for threat actors to target vulnerable users. This means training employees with sufficient security awareness is more critical than ever so they can spot a phishing email and understand the need to adhere to security policies. Given that passwords remain integral to managing access, there’s an increase in adoption of biometrics to add an additional layer of security to turn people into their own password by using their individual characteristics to facilitate access.

The bad guys are getting smarter

Threat actors see the benefit of honing their skills because it makes them more successful, especially when the motivation is money. Whether it’s remote work or other circumstances, they’re always looking for new avenues with vulnerabilities they can exploit. As organizations adopt new ways of working, including flexible hours and workspaces for employees, cybercriminals are going to look for windows where they can access data and disrupt systems.

One trend that’s been clear since before the pandemic is that security can not be just an issue for IT to manage. If organizations are to implement effective cybersecurity, they need the support of the C-suite who can lead by example and provide budgetary support with and understanding that cybersecurity impacts the bottom line.

  • September 30, 2021
  • Catagory Security

Cybersecurity Attacks Target Remote Work Technology: Things You Can Do

By : Justin Folkerts

Remote work technology continues to be a prime target for cybersecurity attacks.

Recent research released by Tenable in collaboration with Forrester found that nearly three quarters of organizations have traced recent cyberattacks that have impacted their businesses to vulnerabilities in remote work technology. Even before the pandemic began, the traditional perimeter around enterprise IT infrastructure had become rather porous due to increased mobility of workers and cloud adoption. With a hybrid workforce that has fully embraced remote access tools, cloud services, and personal devices, that perimeter is pretty much gone.

The Tenable / Forrester research found that 80 per cent of security and business leaders say remote work has put their organizations at higher risk because IT teams lack visibility into remote employee home networks as more than half of remote workers use a personal device to access work data. This has meant three quarters of cyber attacks are targeting remote employees. Threat actors are also exploiting third-party software providers or leveraging vulnerabilities in those products, with 65 per cent respondents linking those compromises to recent cyberattacks. 

For small and medium-sized businesses, it can be challenging to invest a great deal of money in security technology and dedicated IT staff, but there several core things that can help to better protect remote work technology from cybersecurity attacks.

  • Use a Virtual Private Network (VPN): Implementing a VPN for anyone accessing corporate data and applications via the Internet provides an additional layer of security via multi-factor authentication and should be required for anyone looking to access valuable company intellectual property and other sensitive data.
  • Use complex passwords: Many employees opt for simple passwords they can remember and use them for more than one application or website, which means once a hacker guesses one of them, they have access to a great deal of private information. Since these can be difficult to remember, consider implementing password encryption software that stores usernames and passwords without the need to know what they are because the information is encrypted from the start.
  • Educate everyone: Having the right technology in place only goes so far; you need a culture where all employees understand the need for complex passwords, log in via VPNs, and recognize phishing attacks and other suspicious emails. In addition to employee training, set aside a budget for your cybersecurity team to attend webinars and other courses that help them keep up with an ever-changing threat landscape.
  • Keep everything up to date: Whether it’s hardware or software, getting behind upgrades and patches is sure fire to create vulnerabilities that threat actors will support. While much of this can be automated, you should have a program in place to verify all necessary updates are done on schedule.
  • Pick a reputable cloud service provider: A great deal of security misconfigurations that lead to data breaches are the result of connecting with the many cloud services available to businesses today. Make sure your chosen providers have a solid track record on the security front and understand what they’re responsible for securing and what must be done at your end.

Keeping ahead of cybersecurity attacks has always been a challenge and the remote work era hasn’t made it easier. Consider seeking out a managed security services partner who can help you evaluate your security posture, implement new technologies and policies, and automate where possible so that your business is a less appealing target for threat actors.

  • May 31, 2021
  • Catagory networking

Bolster your wireless security in the hybrid workforce era

By : Justin Folkerts

After more than a year of focusing on securing remote workers, it’s time to prepare your office for a hybrid workforce and reinforce your wireless security.

The threats to your on-site wireless security haven’t gone away and having workers who are in and out of your office post-pandemic ends means the network security landscape is just as dynamic as ever. The hybrid workforce is a stark reminder that there is no network perimeter, and you must constantly review your network security checklist—Bring Your Own Device (BYOD), the Internet of Things (IoT), and ubiquitous connectivity remain important considerations.

Secure your office for a hybrid workforce

As people come back to office, the best practices for wireless security are more important than ever, especially as many employees may no longer have a permanent office or workspace as hot desking becomes more prevalent. In addition to guests, you’ll have employees connecting to your office network on-site in an inconsistent manner with devices that are connecting a variety of other networks, whether it’s the employee’s home network or a wi-fi hotspot as it becomes possible to work from coffee shops again.

Now is a great time to review your management policy for all IT endpoints and provide refresher courses on wireless security for your staff. For some organizations, a hybrid workforce was already familiar to them before the pandemic, but for others it will be just as jarring as going fully remote. Given that you’re about to experience another paradigm shift, it can’t hurt to bring an outside partner to evaluate your current wireless security posture.

What’s in a name

A good place to start is to review your inventory of wireless routers access points.

No matter how many you have or where they are located, you should review their service set identifiers (SSIDs) to make sure they are suitably named as to be found by authorized users, but not so easy for unwanted guests to connect to because the names are obvious or remain the factory default. Your network naming should be just as well thought out password selection—avoid creating one that’s likely to help a hacker guess the network password. Rotating passwords and SSIDs can also make it harder for devices and networks to be breached, and the more unique, the better.

With a hybrid workforce, you may want to segment your network so that transient employees have dedicated wireless access points to connect to that are separate from employees who are back on-site full time. Either way, you should hide your SSID so only users who know the actual wireless network name can search it out.

Apply access controls

Even before the advent of the hybrid workforce, there was never a need for every employee to access the same network resources or devices. Just as you segment wireless router access, consider giving specific users access to specific devices such as network printers depending on whether they’re occasionally on-site or in the office everyday.

No one needs to be connected to every device in the organization, so segmenting access will limit the impact of a breach should one endpoint be compromised. At the end of the day, not all employees are equal, including post-pandemic visitors, who wireless access for their mobile devices. Adopting a Zero Trust model for wireless security can go a long way because it’s based on the mindset that organizations shouldn’t automatically trust anything inside or outside its perimeter—every connection must be verified, whether it’s an endpoint, switch or IP address if the organization is to prevent breaches.

Secure and scan everything

Wireless security demands that all access points been encrypted, and yet surprisingly, many wireless networks are left wide open, making them easy avenues for threat actors to gather sensitive information, or as a means to gateway to hack more secure systems.

No matter how stringent your wireless security, it’s often just a of time before someone or something gets past the firewall because today’s cyber threats are so persistent. The trick is to balance security with productivity—you don’t want it to be a barrier to getting things done, otherwise employees will find shortcuts around it whether they’re working at home or in the office.

If you’re feeling rusty about in-office wireless security and would like a refresher to prepare your organization for the hybrid workforce, seek out the help of a managed security services provider.

  • December 10, 2020
  • Catagory cybersecurity

Not all business information is sensitive data

By : Justin Folkerts

The trick to protecting sensitive data is understanding not all business information must be protected.

Even organizations that understand the need for robust information security spend heavily on software and hardware without measuring its return on investment (ROI), only to still fail at safeguarding the most sensitive information that’s the lifeblood of their business because they failed to define what it is before apply security controls.

If you want to adequately protect your most valuable data, you must understand which business information is most critical to your bottom line.

Not all data is equal

It’s seems counter-intuitive, but the reason information security often fails to protect sensitive data is the mistaken belief that all information must be protected equally. Even before the pandemic and remote work became the norm, distributed workers, branch offices, mobile devices, and the evolving Internet of Things (IoT) meant organizations have had to become smarter about how they secure sensitive data. Now it’s more important than ever to make the business case for information security.

The business case isn’t a request for a bigger information security or more technology. Rather, it’s about identifying sensitive data, understanding its value, and being clear about what’s necessary to protect it. You need to operationalize a change in mindset that delivers ROI and protects the sensitive data that powers your business.  However, it can be difficult for organizations to step back and understand what data is the most valuable when it’s growing exponentially.

One thing is for certain, however: Trying to protect every single bit of data equally isn’t cost effective.

Sensitive data must be defined to be protected

If organizations are to marshal their information security resources effectively, they must narrow their scope and define what constitutes sensitive information. While the definition can be guided by compliance and regulator obligations, it’s just as important to figure what data constitutes as a critical asset to the business.

Just as a fleet of trucks are critical assets for a transportation company, every business today has stored information that is critical to daily operations—that’s the sensitive data that must be protected. Otherwise, there are financial repercussions in the form of lost competitive advantage and fines for non-compliance, both of which lead to lost revenue, as do settlements from litigation and damaged reputations.

While compliance obligations and privacy legislation do dictate that some information be prioritized by information security strategies, they’re just the beginning. A healthcare organization that may have all their patient data effectively secured but not have all their research data protected—it’s just as valuable as it may support patent application or attract grant money, and has the potential to generate revenue. Personally Identifiable Information (PII) is always an obvious candidate for protection because compliance and regulatory frameworks deem it as sensitive, but intellectual property or data that’s essential to running your business is just as critical.

Treat sensitive data like a business asset

If you want get ROI from your information security spending, you need to think differently. You must understand your data on a deeper level so you can assign a value to it. There’s plenty of information residing in your organization that won’t cripple your organization if it’s lost. But your sensitive data must be assigned appropriate valuations that will be the of a business case for information security spending.

Getting an ROI on your information security spending is about anticipating incidents that haven’t happened yet, much like an insurance company considers the likelihood of natural disasters. To determine sensitive data and its value, you must weigh the cost of the protections you put in place with the financial impact of any breach and its likely frequency.

The simplest approach its to categorize data in three ways: data can be shared freely; sensitive data that can be shared with certain audiences in specific ways, and data that must remain confidential to the organization and never shared. The process of segmented and prioritizing data enables to apply the appropriate information security controls, so you understand the complete lifecycle of all data and adequately protect it based on the repercussions of losing it.

Treating sensitive data like a business asset enables you to make the case for information security so ROI can be effectively measured so can protect these valuable assets as you would any other important investment.