There are large numbers of businesses that currently do not even have what may be considered reasonably secure environments. There are several reasons for this –
• The business might not know that its environment is not secure. That is, it could be spending money and doing what it believes is right, but spending in the wrong areas and gaining less than optimal results.
• With such a plethora of choice in the market, businesses might be confused about what to do and have adopted an information approach that tries to bolt security on the back, rather than planning it from the front with the same rigour that’s applied to financial products.
• Security is often still seen as an IT issue, rather than a business issue, so the people with the most to lose (MD, CEO and Board Members) are leaving it up to IT (whose main priority can be availability over security), unaware of their real exposure.
• Some might be aware that the information is not secure, yet may not have considered the implications of their choice. At the very least, mismanaging confidential information almost always leads to reputational damage and reputational damage leads to client departures and difficulty attracting new business, sometimes for years. This can have significant bottom line implications.
Those businesses that do not have a secure internal environment are in no position to protect their own information, let alone anyone else’s. Yet to compete in the 21st century, they need to move into conducting business electronically.
What they are finding is that the entities they wish to work with are now mandating demonstrations of due diligence and process around the information flowing between the two organisations.
Businesses need to be able to demonstrate that their service and information is housed in a secure environment which is controlling the assets, otherwise the government, banks, large financial institutions and increasingly, major non-financial-industry corporations, simply won’t form alliances with them.
Non-compliance then, has a fairly critical opportunity cost – missing not just the first opportunity, but every opportunity thereafter until compliance is achieved – missing the opportunity to grow the business. All of which means maligned reputation, missed revenue and missed profitability.