Data security and the insecurity of electronically stored information (ESI) is ephemeral and any anticipation of its occurrence or origin is absolutely unpredictable. All attention is always on the external incidents but little is focused on the internally sourced infraction. Seldom do entities envision the internally sourced incident. The risk from internal unauthorized access to trade secrets leading to misappropriation is realistic. This is not to spawn an environment of distrust in the workplace. Of course, it is difficult to swallow that employees would pilfer company knowledge, designs, formulas, or even the companies R&D new software specs for self-gain. Word to the wise, swallow it fast and be ready.
The imminent vulnerability is through personnel and their mishaps, forgetfulness, or deliberate sabotage. Always the employee with the increasing frequent absences draws a cause for concern and some form of a query, especially an employee who has access to critical company information. This concern is so realistic that it has motivated states to promulgate their own version of a uniform rendition on trade secrets and provisions addressing computer crimes. Some promulgations allow for civil and monetary remedies when business data is compromised as a result of someone exerting unauthorized access either internally or externally sourced.
With the ease of ESI transmission, unauthorized access becomes all too prevalent for the business insurance companies to fathom the risk. This reality is augmented by the anonymous activity through shadow bots, exchanges and other means that leave the business owner holding client data, innovative plans, beta testing new processes, without protective leverage. Backdoor access is always a possibility especially among those of trust who have a mutual gain in the prosperity of the enterprise. Worst case events are what gave rise to FUTSA and CADRA in Florida and many other states that appreciated the seriousness.
Insecurity of data security, unfortunately, is by the nature of storing ESI and transmitting ESI in our day-to-day business endeavors. Customer information, as well as business assets, are at play in the realm of cyber insecurity. Security is only as secure as the weakest link in the chain of transmission. As vulnerability is realized in its present state, the urgency then is to focus not only on firewalls and other aspects but on internal employee training, policies, non-disclosure agreements, vendor contracts, cyber insurance policies and their coverage reviews, and vetting vendors’ cyber liability coverage before inking a deal. Can a business claim safeguarding its data assets to engender public confidence in the security of ongoing credit card transactions, storage of its personal account information, the transfer of its customers’ medical records, or the updating of financial records? The qualified claim itself draws also the risk of misrepresentation before the regulatory eyes of the Federal Trade Commission. ESI is business as usual and the role of risk management is to realize not only the external aspect of cyber intrusion but to also balance that attention with internal constructs in order to anticipate the unpredictable.