|
The Real Cost of Exposure
Organizations offer several common excuses for failing to encrypt their data, including a simple lack of time or money to do so. Unfortunately, no explanation after the fact can help an institution sufficiently recover from a data breach. And, the costs and time associated with fines, remediation efforts, negative publicity and lost customers are as incalculable as they are crippling.
If one does nothing to protect sensitive data and it’s never compromised, then there’s no cost involved. However, as news stories demonstrate time and again, the probability of information being lost or stolen is high. In fact, it becomes a matter of when — rather than if — that compromise will occur.
As recently as 2006, the Ponemon Institute found that data breach remediation costs businesses an average of $182 per record, totaling as high as $22 million, $4.7 million on average and no less than $226,000. Those staggering dollars are consumed by legal fees, investigative and administrative expenses, stock performance, customer defections, opportunity loss, public relations services and customer support costs. In addition, organizations face losses that are more difficult to quantify. The damage to reputations and brand identities can take years to correct — if it’s even possible at all. And, that’s really just human nature. After receiving a letter of notification that one’s personal information has been exposed, it’s difficult to imagine the victim quickly trusting the offender again.
SECTION 2: OPPORTUNITY
Minimizing Risk and Loss Finding the Right Balance
The importance of protecting data and consumers, combined with escalating compliance regulations, is causing enterprises to rethink corporate governance mandates. This entails proactively investigating exposures and implementing appropriate information security policies, processes and technologies, including those for tape data encryption. Others have not yet embraced encryption and have no procedures in place. After all, they may argue, they don't have any sensitive data. So, why bother with encryption? The reality is, nearly every company has some sensitive data on its systems — and it needs to be adequately protected — for compliance and longevity.
That’s why a growing number of organizations are incorporating data encryption into their security best practices. But, haphazard application of these best practices is, in fact, not a best practice. Institutions need to perform due diligence to identify exposure points and the information in need of encryption on tape. Anything short of this approach will lull them into a false sense of security.***
Yet, too wide a net can be cast in encrypting data. Deeming all information sensitive and then encrypting it would certainly be cost prohibitive. And, there are also the issues of time and computing resources to consider. Moreover, institutions may selectively encrypt the wrong data. For instance, they might encrypt everything that goes offsite, including information that really doesn't need the additional protection. At the same time, they may neglect to encrypt archived data or data sitting in their onsite vault, which could be easily accessed by an unscrupulous or malicious insider.
In a sense, these organizations have encrypted too much or too little — or both. The goal, then, is to implement a tape encryption policy that protects all sensitive information without covering any that doesn’t require that higher level of security.
SECTION 3: BENEFITS
Implementing Best Practices for Better Results
As organizations embark on data encryption projects, they often struggle to identify information that should be backed up to their tape media and what portion of that information really needs to be encrypted. After all, the existing and universal standard operating procedure is usually to back up everything to tape on a daily basis. This “approach” means organizations don’t know which data sets contain sensitive information — and which don’t. But as previously established, not all data is created equal. That’s why it’s best to consider an encryption strategy that’s aligned with business practices, security objectives and compliance drivers.
The business needs of an institution will determine which one of the following common mainframe encryption methods it chooses:
ALL Z/OS DATA Encrypting all z/OS tape data is the fastest way to implement an umbrella encryption policy. This may be overkill, but it’s also the most expedient if the mandate is rapid encryption deployment.
ALL Z/OS DATA THAT’S OFFSITE Tapes that have transit requirements from local control to remote locations (offsite storage sites or business partners) are at higher risk. Thus, it’s a good compromise to take a blanket approach to safeguarding these assets while selectively encrypting onsite tape data.
SELECTED DATA If efficiency and economies of scale are the primary goals, it is prudent to take the time upfront to select the data that needs to be encrypted and the data that doesn’t and set policies based on those decisions. This saves time and resources in the actual encryption/decryption process.
|
