Companies should prepare for ‘when’ their data’s breached, not ‘if’ it’s breached
January 15, 2014

Protecting personal information is a two-way street in the online environment. Users need to take some care with how they treat their private data, but companies also should provide sufficient security against hackers breaking into their databases and stealing authentication details. Yet while most organizations know that they might have their systems broken into, many may not be aware of how likely they are to be targeted and have some of their data successfully stolen. 

Nearly all organizations have their data compromised
According to a recent study commissioned by the Departments for Business, Innovation and Skills (BIS) and conducted by PricewaterhouseCoopers (PwC), 93 percent of large organizations and 87 percent of small businesses experienced a security breach in the last year. With compromised systems this widespread throughout nearly all businesses, decision-makers must consider more stringent security measures, and at least some acknowledgment that their network will be broken into. After all, even the 7 percent of major companies that did not have their databases exposed to hackers may simply be unaware of the incidents that did happen, The Guardian suggested. 

Adjusting to the new security landscape
The frequency of these attacks becomes even more alarming as certain organizations, such as the U.K. public sector, are transforming into "digital-by-default" groups, as The Guardian noted. As services become increasingly based on electronic access, they will need a higher degree of protection than ever, as well as an evolution in some of their common practices. 

In light of the report's information, the tendency for some organizations to hold onto as much consumer data as possible may need to be changed. The complete profile of a consumer could leave that individual highly exposed to fraud, whereas limiting some relevant details can reduce the damage that may result from an almost inevitable data breach. Decision-makers should emphasize that only records absolutely necessary to providing their service should be retained. 

Public institutions and businesses should also move toward security measures that utilize trusted sources, ones that are capable of quickly managing data theft or related problems. In many cases, organizations are not focused on this type of issue. Meanwhile, financial groups such as banks deal with these kinds of problems all the time and are well positioned as potential credential providers for users across a variety of services. They also have the benefit of being trusted by numerous individuals to protect sensitive information, as it is part of their operational model. 

A greater level of oversight and quick action when a threat is detected will be key to creating a more secure online environment. The Guardian noted that the creation of bigger, better firewalls may be insufficient to handle the current digital environment, and monitoring will play a more critical role than ever before. 

Reducing friction when connecting users with services
Despite the need for improvement security, it should also be stressed that online safeguards should also remain relatively convenient. Companies and institutions need to take more care with sensitive data, but that won't matter if their protocols lead to bad user habits such as poor, over-used passwords and other practices that are easy to remember but that also defeat the purpose of heightened protection. 

Moving toward multi-factor authentication and identity management systems that reduce the amount of exposure that users experience may be necessary as online services become the default, rather than a perk, for the public and private sector.