Well-publicized breaches, such as Choice Point (February 2005), the U.S. Department of Veterans Affairs (May 2006), and TJX (January 2007) have exposed the information of millions of individuals, resulting in a steep increase in identity theft. The organizations involved not only suffered financial consequences, but also lost customer trust and damaged their reputations, particularly because intellectual property is equally at risk. Combining innovative technology solutions with a comprehensive data protection strategy that incorporates security best practices should become a business priority for every organization.
The days when customer data existed only in a virtual glass castle topped by guard turrets with guns and protected by a moat are long past. Today, data on customers, partners and employees resides everywhere. In fact, many organizations don't know where all their data is located. New hand-held devices have made it easy to move data outside the network and company walls. New business practices that rely on mobile workforces and worldwide communications make the need to protect data-at-rest and data-in-motion critical. Thinking about how best to provide end-to-end protection for the data itself is now as important as securing a particular device or location.
Internal and external threats. Media attention has focused on lost or stolen laptops and backup tapes containing financial and other personal information, such as Social Security numbers. However, internal risks to data in the form of intellectual property are an equal concern if businesses are to remain competitive. The loss of intellectual property can damage whole markets and impact the value of a company. It can also have a huge economic impact on the country and significant implications for our position as a global technology innovator.
Regulatory compliance. Another factor is the need to comply with regulatory notification requirements in more than 30 states in the U.S. A recent study by The Ponemon Institute found that it cost companies nearly $200 per customer record lost. In the case of the Veterans Affairs' stolen laptop, which exposed more than 28 million records, the resulting costs can be astronomical.
Brand damage. Organizations must be aware of the damage a data breach could have on their reputation and brand. This aspect of data protection is less tangible but equally important. Just as patients need to trust the doctors who care for them, consumers need to be able to trust the organizations with which they do business to take the proper precautions needed to care for their information.
Best practices for data protection
Let me be blunt: Until recently, protecting sensitive data has not been a business priority by many. As these incidents prove, however, the "it won't happen to me" approach is not an effective data protection strategy. Every company should identify its sensitive data — that is the data that could cause harm to its employees, customers and shareholders if and when there is a data breach.
Here are five best practices for protecting data and intellectual property:
1. Build awareness at the executive level
As security professionals, we need to do a better job of educating executives that data protection involves multiple components: people, processes and technology. CxOs need to view data protection as a business imperative. As new products and services are offered, CxOs should include assurance that services are secure and compliant with relevant regulations. CxOs also must be prepared to do the right thing by their customers and shareholders if something goes wrong.
2 Create a comprehensive data security strategy
Companies need to understand today's threat environment and figure out how they'll handle the situation before it happens. They need to know what plans are in place to protect data, to detect potential problems and to respond to and recover from a data breach, if necessary.
3 Invest in data protection technology
Just as the automobile helps us go places safely if it's been properly serviced and has good tires and brakes, technical solutions are enablers that allow us to protect sensitive data.
Encryption is a key element of any data protection plan. In fact, encrypting data can dramatically reduce the risk of data being compromised or lost, and reduce the need for notification, even in a regulatory environment.
Key management is another important capability to ensure business continuity in today's distributed data environment. To be effective, key management should work across multiple platforms, protecting the data and enabling recovery whether it's on a BlackBerry, a laptop, removable media or a mainframe.
Access to data should be managed by policy and available only to those who need it. Today, collaboration is a standard business practice. Organizations need to facilitate collaboration whilealso protecting sensitive data from unauthorized individuals.
Data management and data loss prevention technologies play a critical role in knowing where your data is at all times. These technologies enable organizations to have effective controls for managing data-at-rest and data-in-motion.
4 Share responsibility for protecting assets
Nearly everyone within an organization creates, shares and stores sensitive corporate and customer data on a daily basis. Companies should clearly identify roles and responsibilities for protecting data. The development of clear, repeatable processes is essential to the overall framework for data protection. When aligned with the roles and responsibilities, this approach positions the organization to continuously improve its overall program.
5 Test and refine your data protection plan
Practice your data protection strategy before it's needed to make sure you are ready. If you do have an incident, follow the established procedures. Bring everyone back together afterward to discuss what worked and what didn't work. This process will allow you to refine and improve the plan.
In the next decade, increased priority will be placed on how to protect the data, rather than on simply restricting access or securing the network perimeter. That means enterprise data protection needs to be an evolving discipline that can be improved over time. By including data protection in technology protection, you'll be in a better position to protect your customers, shareholders and employees. Bottom line: You'll ultimately protect your brand. n
- Rhonda MacLean is CEO of MacLean Risk Partners, LLC.
Before founding the risk-management consulting firm that bears her name, MacLean led Bank of America's Corporate Global Information Security Group, where she oversaw security policy development, cyber investigations, computer forensics, and other related areas.
Prior to that position, she was responsible for information security at The Boeing Company. MacLean was appointed the first chairperson of the U.S. Treasury's Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security. In addition to continuing to serve as chairperson emeritus of the Council, she sits on the Global Council of CSOs and holds the title of Distinguished Senior Fellow from Carnegie Mellon University's CyLab. The Executive Women's Forum in 2003 named Ms. MacLean one of five "Women of Vision" shaping the information security industry.