Information Security, Why is it so necesary?

Information Security, Why is it so necesary?

Facebook is facing a 5 Billion fine for privacy issues
https://www.cnbc.com/2019/07/12/ftc-fines-facebook-5-billion-for-privacy-lapses.html

Google has reportedly reached a multimillion-dollar settlement with the US Federal Trade Commission over alleged violations of children's data privacy laws on YouTube.
https://www.cnet.com/news/google-reportedly-fined-millions-by-ftc-over-childrens-privacy-on-youtube/

We can see here the top 20 fines to companies due to security issues and lack of information control
https://iapp.org/resources/article/top-20-government-imposed-data-privacy-fines-worldwide-1999-2014/

Ex-Microsoft dev used test account to swipe $10m in tech giant's own store https://www.theregister.co.uk/2019/07/17/exmicrosoft_engineer_arrested_fraud/

Is it fines the main reason why a company should invest in security?
NO!
Fines are emergency alerts and as most alerts are only the 20% (approx) of the overall security problems in the environment, we simply are unable to even fathom how many security issues are rampant on the wild.

Information Security is related to protect both industry secrets and public information, preventing unauthorized agents to access it and barring changes which would jeopardize its integrity.

The rapid growth and widespread use of electronic data processing and electronic business conducted through the internet, has provided more and more people with access to data they previously wouldn't have and technical knowledge makes it easier to tap on to the communication medium and read anything transmitted.

Which all of this means is, if you are not protecting your company's assets because it is "too expensive", you might be trying to maximize profit but also by not investing in security you might be augmenting your risk of losing intellectual and/or operative assets or to provoke punitive damages to your clients.

You see, Information is the current trading coin, le'ts go to the bottom line, credit card numbers, personal information for fraud loans, etc. Things escalate from there and not protecting data is not an acceptable way to save some pennies.
From the company's point of view, the process intelligence, company's directory, bank accounts should be rendered out of reach as well from these criminal elements and this cost should always be part of every project.

If your company is fined, it is probably at a higher risk than you might know, the fine should be the least of your concerns.

What to do in case a breach is identified?

First things first, you have to close the breach, in movies they take the time while the breach is open to "catch the culprit" but in reality if he got in most likely he alredy dropped as much information as you're going to take, your priority is to close the gap find the backdoor or simply close the firewall on the connection port.
Once the breach is closer then assess the damage, find out what did they access, deleted, copied or modified, and do it ASAP. Time is the essence here as when users come in they will mud the evidence unless you have it properly separated.
Once these steps are done you can use forensics to "fingerprint": identify what they wanted, attempt to identify them and  prevent this situation from repeating on the future.
File out a full report in case you need to report this to an authority, Financial companies need to report to their partners, brand holders and law enforcement as an example.

Can I save by skipping on security if my company is small?

Some companies seem to think they can absorb the pain, even some banks in Latin America have been known to pay up their hackers to hide the fact they have been breached and allowed to not report this to the public to "avoid losing customer's confidence".
The truth is you should not, this is irresponsible behavior and it will cost you sooner than later, the possibilities are endless, your company open for cybercriminals is a gold mine, traceable and responsible for whatever they do with your hard earned assets as their platform.

Please remember: Security is not an Option