Just when you thought it was safe to tell your Board, external auditors, or examiners that you have a “no surprises” information security program in place, you don’t! There is a significant “sleeper risk” in the information security program of most organizations and government agencies that has been overlooked! It is a very small aspect of day-to-day operations in the scheme of the organization’s priorities, which is why it has gone unnoticed – until now. As one regulator commented to me recently, “this is not a potential problem – it is a real problem.” It can create a huge risk with a huge downside, if it is not controlled. Most organizations don’t even realize that this “sleeper risk” exists, until it is too late. The good news is that once you identify this “sleeper risk,” it is easy to fix.
“What is this sleeper risk?” It is the lack of information security protocols and practices in the vetting, selecting, and use of data recovery service providers.
Data recovery and the use of third party service providers is a growing market. As a society, we continue to store more sensitive information in digital format. Organizations and individuals are using more storage capacity and various types of storage devices. It makes sense that as the demand for computer storage devices continues to rise, more equipment will be damaged or will fail due to daily wear and tear, physical damage, data corruption or natural disasters (flood, fire, etc.). If backup copies of lost data are not available, the need for data recovery services will increase to keep pace with the use of storage technology.
I don’t think that I need to explain the potential cost, fines, damage to reputation, and loss of trust that an organization would experience if a breach of sensitive information occurred during the data recovery process or at any other time in the life cycle of sensitive information. It is huge!
If you would like to learn more about why this is a sleeper risk and what you can do fix this problem at your institution, click here to read an article that I published last week.
This guest post is written by Paul Reymann, CEO and founder of the Reymann Group. He is one of the nation’s leading regulatory experts and co-author of Section 501 of the Gramm-Leach-Bliley Act Security rule. He is also the author of numerous articles and papers on technology risk, transactional web sites, customer information, network security and other technology and safety and soundness topics.