By Sarah Thomas, Enaxis Consulting To most of us, data security is a black box. We read about Heartbleed, Stuxnet, conflict between national government covert programs and industry, and outdated technology that is susceptible to infiltration. In the end, the vast majority of us throw our hands up, don’t change our passwords, and resign ourselves to the idea that perhaps nothing is private; nothing is secure. If something happens to us as an individual, we take care of it retroactively through our bank or whatever institution is associated with the aspect of our life that has been affected. At work, we realize there is information security, but all we know is it keeps us from doing what we want, when we want and we are constantly trying to get around the protections the company may have put in place. Data security has real and tangible implications; however, and it can mean the difference between a company that survives and one that is catastrophically undermined. The costs include the loss of customers and a diminished reputation, loss of intellectual property, and exposure of sensitive product, company or consumer information. The cost of clean-up in terms of public relations, revamped technology and management systems, and careers impacted can be significant. According to a 2013 data breach study by the Ponemon Institute, the average cost of a data breach in the United States in 2013 was more than five million dollars, but the continuing impact costs can be much greater. The vast majority of data breaches occur either because of a deliberate hack from the outside, or because of human error, such as a lost device or computer. Only 30% of the time is a breach the result of a flaw in the technology system. When a data breach does occur, there are four primary factors that can decrease the impact of that breach: •The company maintains a strong security position; •The company has an incident response plan; •The company has a C-level information security officer (CISO) and •The company engages consultants prior to and after security incidents. All four of these categories illustrate a dedication and commitment to placing data security high on an organization’s priority list. With the rapid pace of change within information technology, ever more advanced hacker techniques that are often government sponsored, and the tendency of employees to ignore what doesn’t affect them, data security no longer has the luxury of being a side-effort or after thought. Developing a company’s security position, a data breach incident response plan or organizational development to create a CISO office, takes analysis, industry insight and strategy development—all areas where consultants with experience in data and information security can help. This blog post originally appeared on Enaxis Consulting’s website.