As an executive in healthcare, eCommerce, or any industry relying heavily on data and technology (that includes just about everything) you are faced with difficult decisions every day. You know you cannot do everything you would like to do or even everything you should do – at least not today. You face a constant battle of priorities, weighing the good ideas with the imperative steps that must be taken to keep the organization safe, profitable, and moving forward. It’s a juggling act some days.
When things are going well security is a low priority.
When you are faced every day with so many competing priorities, it is easy to fall into a cycle of putting out fires that seem to burn the hottest at the moment. It is easy to tell yourself that the risk isn’t really that great, your team assures you they’re taking the right steps, and you just did that risk assessment a few years ago.
But you don’t have to look any further than daily news reports to realize, yes, risks to businesses today are great and they’re constantly evolving.
Your IT team is likely doing the same priority juggling act you are doing. They are faced with demands and fires that dominate their attention and budget constraints that may lead them to focus where they think they can make progress and put off the more expensive or challenging issues for another day.
And that risk assessment or security update you did two or three years ago may only be offering a false sense of security now. How many things have changed within your network or processes since? And perhaps more importantly, how many new threats and nefarious types of attacks have arisen that were not factored into your last assessment and updates?
Eclipsed by the raging fires that pop up in other areas of your organization, you could be ignoring the smoldering, slow burn in IT security or compliance issues that could catch you by surprise at any time.
When something goes wrong, security becomes the only priority.
Perhaps more than any other issue pushed lower on your priority list, a data breach or security incident has the greatest potential to jump up quickly to the top and to go from posing no problem today to threatening the very existence of your company or organization tomorrow.
Incident Response is a Strain on Resources
If a security incident rears its head tomorrow, efforts to stop and remediate the issues will quickly consume your organization. Your incident response team should include (and will inevitably pull from) your IT team, PR and Marketing, and potentially even Human Resources. It will provide a distraction and stressor for virtually every employee and will create problems or concerns for clients as well. One incident can lead to lost customers and damage to your brand’s reputation that could take great effort, cost, and even years to recover from.
You may get lucky, but at what cost?
Ultimately, most data breach lawsuits do not succeed. An appellate court recently dismissed the class action lawsuit against Advocate Medical Group on the grounds that plaintiffs could not adequately show that the data contained on stolen laptops had (or ever would) find its way to identity thieves or other nefarious actors. It may seem that your data is more threatened by laptop thieves than by identity thieves. This may be true and you can be somewhat reassured by the AMG case. But stop to consider the costs already incurred by the company to file, respond, and argue their case before two lower courts and finally the appellate court. Could your organization survive such an ordeal?
IT Security neglect is widespread (and costly).
Another temptation may also be to consider the other businesses and organizations in your industry and think you’re doing no worse than the rest. This is likely true. Healthcare organizations often see HIPAA regulations as this overwhelming, vague set of standards that no company could really have nailed down. Granted, HIPAA compliance is more a journey than a destination and you may be further down the road than most, but it’s safe to assume you still have a ways to go.
In a recent interview for Healthcare Info Security, David Kibbe of DirectTrust explained why healthcare data is so widely vulnerable today because the industry has neglected security issues for years. The breaches we have seen in the last year or two make it increasingly difficult to pretend that security issues are not at crisis levels in healthcare today.
Proactive prevention is cheaper in the long run.
When all the rationalizations fall away and we recognize the very real threats facing organizations in virtually every industry and every size in business today, a shift in priorities is the only business and cost responsible response. You spend your days considering the business case, costs versus benefits, for every decision to guide your business to a stable, profitable future. A similar consideration of the IT security threats increasing every day will reveal that proactive prevention before an incident is always cheaper than recovery and remediation after a security incident. The level of risk in business today is just too high to be acceptable.
With solid information provided by an up to date risk analysis and the guidance of security experts, you will have the tools to create a reasonable, affordable incident response plan to prioritize, mediate, and reduce the risks facing your company. Your company doesn’t have to face these threats alone, contact our team today.