Over the last several years, many well-known organizations have faced the consequences of highly publicized data breaches. These breaches directly impact an organization's most valuable asset - their customers.
Since early 2005, the Privacy Rights Organization has documented more than 100 million incidents where consumers' personal information was inappropriately managed. The ramifications for organizations that experience a breach in lost revenue, lawsuits, fines and most significantly the lasting negative public perception of being insecure are immeasurable.
After a data breach has occurred, organizations are forced to spend time and financial resources to regain consumer trust. Often, organizations respond to an incident by strengthening their network-centered approach to security; restricting access to VPNs, or otherwise locking down access to their sensitive data. However, the proliferation of outsourced services, electronic commerce and debit/credit card use has caused the amount of sensitive data being transmitted electronically - outside of secure corporate networks - to grow exponentially. Because organizations are held accountable for data that is compromised regardless of where the exposure or loss occurs, they must find a way to secure information as it moves beyond corporate networks.
Taking responsibility for your brand in a world of unequal risk
As information is exchanged between enterprises, it must remain secure, both in transit and wherever it is stored. In theory, all parties that interact with sensitive data would shoulder equal risk - and therefore equal responsibility for the security of that data. However, in practice, the various parties exchanging data shoulder unequal risk for its protection. In most cases, the company with the more established and well-known brand will suffer the greatest consequences from a breach, while the lesser known company will rarely make the headlines, even if they were the responsible party.
Because the larger companies tend to represent a more fungible aspect of the data exchange (such as a credit card processor) it is easy and inexpensive for the customer to change providers. Conversely, customer unhappiness is not usually permanent with the lesser known partners: people are unlikely to abandon their family doctor or their favorite source of apparel because of a breach. However, a credit card processor, for example, does not enjoy such loyalty or intimacy with customers. This inequality of risk applies to most business communities.
Unequal risk frequently creates irreconcilable differences among enterprises with regard to the steps each will take to protect information. Because the company with the most brand equity has the most risk, this organization bears the greater responsibility to find a solution to secure the data exchange process that their partners will be willing to adopt.
Protecting your data = protecting your brand
To guard your brand name and protect your best interests, organizations must take a proactive stance to protecting sensitive information as it is exchanged with external partners. This means finding a solution that will secure the information wherever it goes, both inside and outside of corporate firewalls. By encrypting data as it is exchanged between business partners, sensitive data remains secure regardless of where it is. This data-centric approach also provides sponsoring organizations with the ability to attach security policies to encrypted information as it is provided to their partners.
Since lesser known partners don't have the inherent responsibility to protect a brand name, their willingness to sacrifice cost, time, or management oversight to protect information is virtually nonexistent. What's more, believing they must bear increased operational costs and complexity also increases their reluctance to join a security initiative. Typically, these organizations view adding security to their operations as an unnecessary burden and expense, with little or no return on their investment.
It is also important to realize that each partner subscribes to different business agendas and uses various data security protocols. Therefore, solving the data exchange dilemma entails more than developing a program that simply secures data. A true solution goes further than security — it offers flexibility that satisfies the operational needs of all partners. Here are some things sponsoring organizations should keep in mind when looking for a data-centric security solution that extends to their partners:
- Ease of Use - In order for a data security initiative to be successful, the chosen solution must be cost effective, easy to use and cause little disruption to your partners' workflow.
- Scalability - A data security solution shouldoperate as effectively on one computer as on 1 million computers. CIOs should seek solutions that operate using a hierarchical security model that is compatible with trusted X.509 standards-based certificate authority.
- System Neutral - A data-security solution must take into consideration the uniqueness of partners' environments by working compatibly across many computing platforms, regardless of the operating systems used in the process or the number of circumstances and variables involved.
- Operate seamlessly - Whether data is transported via automated scripts on a mainframe or sent "interactively" from desktops that call up an encryption program as needed, it must perform seamlessly or users will be less motivated to apply the policy.
- Authentication - Effective data-security technology includes features that identify instances of tampering or unauthorized access.
- Policy Enforcement - As outlined above, to ensure data is protected once it leaves the organization, it requires that security policies and best practices can be extended to external partners. Administrative features that enable organizations to set and enforce policies so that even "unconscious" users of encryption are keeping the organization's information secure are essential.
- Recoverability - The attrition rate amongst headcount creates risk as employees with special IT privileges take critical knowledge of the corporate systems with them when they leave the organization. CIOs should ensure that any product they implement offers processes to recover and unlock data.
- Future Proof Your Solution - Regardless of whether your organization is currently operating in a PKI (digital certificate) environment, the encryption solution that you choose should allow users to operate using any security infrastructure including public-key infrastructure or pass-phrases in the encryption-decryption process.
By implementing a solution that overcomes the objections of cost and time, a sponsoring organization is able to support a data-security solution that will protect data regardless of where it is, and where it goes. Your brand is your responsibility and it is imperative that you take the necessary steps to secure data both within your organization and as it travels outside your corporate network to partners, protecting not only your sensitive information, but your company's valued brand name as well.
-Joe Sturonas is CTO of PKWare.