Customers Trust. Whitepaper

Transcription

1 Steps to improve your Data Security and ensure your Customers Trust intimus consulting is a division of the MARTIN YALE GROUP Bergheimer Strasse Markdorf / Germany Steps to improve your Data Security and ensure your Customers Trust Whitepaper

2 Steps to improve your Data Security and ensure your Customers Trust Summary Information security is not just a marginal activity for today s companies; it is central to a company s daily operations, brand image and customer relationships. The way that a company handles its information security procedures reflects on every other aspect of how the company is run and what the company stands for. If a company has conscientious, thorough information security practices, its customers can feel confident that their information will be protected. On the other hand, if a company has disorganized, erratic information security practices that company is more likely to end up in the news as the latest example of corporate information assurance gone wrong. Steps to improve your Data Security and ensure your Customers Trust 2

3 Content Increasing Threats to Data Security 4 Recommendations 5 Conclusion 11 Company Profile 13 Contact Details 13 Steps to improve your Data Security and ensure your Customers Trust 3

4 Increasing Threats to Data Security Even the best-laid information security plans can still fail to prevent data breaches. To some extent, many senior executives are starting to take the position that data breaches are bound to occur; it s not a matter of if but when. According to a recent survey of CEOs and senior executives, 82% reported that their organization had experienced a data breach, and most were not confident that they would be able to prevent a data breach during the next 12 months. 1 One challenge for every information security officer is that the threats to data security are multiplying fast; every day, billions of bytes of information are created, stored, shared and disseminated to millions of people all over the world. Organized networks of cyber criminals lurk online, checking for weaknesses in corporate firewalls, looking for ways to steal credit card numbers, identity information and other sensitive data. In addition to the newly created information and the ever-evolving threats of cybercrime, many companies are vulnerable to old-fashioned threats posed by improperly handled paper records, or by years-old archives of information stored on obsolete formats of data storage devices. Any of these magnetic data storage devices or optical storage media could expose a company to lawsuits and embarrassing publicity if they were to fall into the wrong hands. Confidential customer information, trade secrets, and other sensitive information need to be protected. This is one of the major challenges for business leaders in our time. The full scope of information that could potentially pose a risk, and the full range of threats, is unprecedented in human history. But does that mean that data breaches are inevitable? Are companies forced to just stand by, and hope to mitigate the worst effects of data theft? 1 Ponemon Institute, The Business Case for Data Protection (July 2009), pg. 17. Steps to improve your Data Security and ensure your Customers Trust 4

5 Recommendations Just because data security is increasingly complex, costly and risky does not mean that companies are helpless to prevent data breaches. There are many steps that companies can take in order to better manage their risks, maintain the trust of their customers, and preserve their reputations. Develop an information security strategy: Data protection is not a matter just for the Legal department, Compliance team or Information Technology staff; it is a matter of strategic importance to the company and must be addressed at the highest levels of the company by creating a comprehensive strategy. The company needs to establish overarching goals, best practices and key principles for how its information is going to be managed, including record retention schedules, designated contact persons for information security questions, and compliance teams to monitor and enforce the information security policy. Enforce the overall information security strategy: Senior management needs to create a reporting structure for information security to ensure that people are held accountable for complying with the strategy. Errors and failures to comply need to be noted, reported and followed up information security is an ongoing process, and whenever a weakness is discovered, it needs to be investigated and corrected so that the overall information security system continues to strengthen and evolve. Connect the information security strategy to the overall vision and values of the organization make sure that people understand on a fundamental level that information security is an important part of the company s mission. Provide training for employees (including temporary employees and contractors): All employees need to receive thorough training in how to safeguard sensitive information, how long to retain various types of information, and how to properly dispose of sensitive documents and data storage devices. The company s top leaders need to continually communicate the information security policy and strategy to all levels of the organization; people need to be regularly reminded of the importance of sound practices and diligent attention to detail. Even the smallest mistake or oversight can lead to damaging consequences. Steps to improve your Data Security and ensure your Customers Trust 5

6 Put data security controls in place: According to a 2008 study from the Verizon Business Risk Team, 87% of data breaches could have been avoided if reasonable data security controls had been in place. The study says, Traditionally, organizations have aligned their focus on building security controls around the network perimeter, and in many cases, have turned a blind eye toward data within the network. While a strong network perimeter is important, it cannot be the only or even the main layer of protection around sensitive information assets. Information itself wherever it flows must be the focus of security efforts. 2 Many companies focus on building strong firewalls and other external security measures, but they fail to monitor their internal data security measures which are often the ones that are more important in preventing data breaches. Back up company policy with actual processes: Also according to the Verizon 2008 study, in 59% of data breaches, the victim organizations had formal policies in place, but did not enact the policies with actual processes. 3 This means that these companies did not keep their promises to themselves; they knew what needed to be done, but they failed to do it. It s not enough to write detailed policies and grand visions of what the company is going to do about information security; the work also has to be implemented and brought to life in everyday operations. Test, test, test: Companies also need to include compliance checks and testing as part of their information security operations it s not high-tech or glamorous, but it s one of the best ways to reliably ensure that a company s data security plans are actually being carried out. 2 Verizon Business Risk Team, 2008 Data Breach Investigations Report, pg Ibid. Steps to improve your Data Security and ensure your Customers Trust 6

7 Data thieves look for weaknesses plan accordingly: According to the Verizon study, the overwhelming majority of data breaches were achieved by attacks that were not considered difficult (83%) or by opportunistic attacks (85%). 4 This illustrates a point that is well-known to many police detectives: most criminals are lazy and unimaginative. Given the choice between picking the lock of a complex network firewall, or picking up a box of improperly discarded documents and data storage devices, most data thieves will take the easy way out every time. Companies are more likely to have their data security compromised by the small stuff (improperly disposed documents and storage devices) rather than be vanquished in a technological wizard s duel by a sophisticated cyber criminal. 4 Ibid. Steps to improve your Data Security and ensure your Customers Trust 7

8 Take care of storage media: In the Ponemon Institute s survey of CEOs, 22% of respondents said that incorrect disposal of storage media was the greatest risk to sensitive data at their organizations this was the third highest rated response. 5 There are many steps that companies can take to properly dispose of their storage media, ranging from shredding (paper), to Secure Erase (hard disk drives), to grinding (optical storage media CDs and DVDs), degaussing (hard disk drives and other magnetic storage media) and disintegration (other solid state media). Companies that are serious about information security have more weapons at their disposal than ever before there s no excuse for improper disposal of storage media; if it contains information that might potentially pose a risk, it s worth making an investment in the equipment to properly dispose of the media. Bar Chart 1: from Ponemon Institute, The Business Case for Data Protection (July 2009), pg Ponemon Institute, The Business Case for Data Protection (July 2009), pg. 8. Steps to improve your Data Security and ensure your Customers Trust 8

9 Take precautions with business partners: A company s information security is ultimately only as strong as the practices of that company s business partners vendors, suppliers, contractors, and other entities who might deal with the company. Business partners were implicated knowingly or unknowingly in 32% of all data breaches, according to the 2009 Verizon Data Breach Investigations Report. 6 To keep business partners from exposing a company to risk, it is important to measure business partners security controls, include clear language in contracts that refers to responsibilities and liabilities for data breaches, and avoid divulging any sensitive information to a business partner that is not on a need to know basis. According to the Ponemon Institute, while the average cost of a data breach (during 2008) was $6.65 million, the per victim cost of data breaches involving outsourced data was $52 higher. 7 This indicates that a lot of companies would benefit from implementing better vendor management programs to monitor their business partners data security practices after all, any time a company shares information beyond its walls, there is a chance that the information can be lost, stolen or mishandled. Create a data retention plan: According to the Verizon 2008 report, 66% of data breaches involved data that the victim organization did not know was there. 8 What a company doesn t know can definitely hurt. This is one reason why it is so important for every company to have a data retention plan/record retention schedule as part of its overall information security strategy. Companies need to know what kind of data they have and how much of it there is. They need to know where the information is stored, who has access to the information, and how long the information needs to be kept. Companies should also adopt a when in doubt, throw it out approach unless there is a compelling business need, companies should avoid creating additional copies of old data, or holding on to data storage devices longer than necessary. If the information is no longer sitting around in storage, it is no longer a threat. 6 Verizon Business Risk Team, 2009 Data Breach Investigations Report, pg CIO, Costs of a Data Breach: Can You Afford $6.65 Million? Dr. Larry Ponemon, Feb. 4, Verizon Business Risk Team, 2008 Data Breach Investigations Report, pg. 26 Steps to improve your Data Security and ensure your Customers Trust 9

10 Create an incident response plan: Hope for the best, plan for the worst this principle also applies to information security. Companies need to do what they can to prevent data breaches, but in the event that a data breach occurs, companies need to be prepared. An incident response plan will allow the company to assess the situation, collect evidence, determine the scope of the breach, contact affected customers, and work with law enforcement and regulatory agencies as needed. Data breaches are not inevitable, but if one occurs, the company must be ready to respond and move forward with confidence and a calm sense of direction. In the event of a data breach, act with all deliberate speed. Make sure you understand the applicable laws and reporting requirements for your location; depending on the situation, not every data breach needs to be publicly announced and reported, especially if no individual people s information was compromised. If you do have a data breach that requires reporting, be prepared to act fast. Make sure to notify the affected people as soon as reasonably possible; don t let the local news media spread the story before you ve had a chance to contact the people whose data has been compromised. Also be prepared to offer detailed information and assistance to customers or business partners affected by the data breach as Dr. Larry Ponemon says, Don't just give a script to the call agents -- give out a toll-free number where people can reach someone with enough internal knowledge to get them to the right person." 9 9 CIO, What, When and How to Respond to a Data Breach. Lamont Wood, April 27, Steps to improve your Data Security and ensure your Customers Trust 10

11 Conclusion Data breaches are not inevitable. Companies do not have to resign themselves to data theft, costly problems and embarrassing news headlines. There are many ways that companies can reduce their risk of data breaches while boosting their customers confidence and there is definitely a connection between these two goals; information security is not just a matter for IT and internal operations; it is also a matter that affects marketing and sales. 57% of CEOs surveyed said that information security increases the value of their companies by increasing customer loyalty and reducing customer turnover, and 80% said that information security helps to improve their overall brand image. 10 With customers more concerned than ever about identity theft and the various mysterious and complicated risks of doing business in an online, interconnected world, customers are more likely to turn to companies that can promise (and deliver) a robust, thorough and well-thought-out information security policy. By developing a comprehensive strategy for information security, putting good processes in place, training employees (and contractors), keeping control of digital storage media, understanding business partners information security practices, and creating good plans for data retention and emergency response in case of a data breach, companies can mitigate the biggest risks and enjoy the biggest benefits. A good information security strategy with the right training, the right equipment and the right advice is an investment, but it s an investment worth making. According to the CEOs surveyed by the Ponemon Institute, the average ROI of information security programs was 4.3 to 1 $4.30 in cost savings and revenue improvements for every $1 spent. 11 Preventing data breaches does not have to be a losing battle. In fact, it can even show positive gains for a company s bottom line! 10 Ponemon Institute, The Business Case for Data Protection (July 2009), pg Based on a median extrapolated value of $16 million in cost savings or revenue improvements from data protection efforts, divided by a median extrapolated value of $3.7 million annual budget dedicated to data protection. Ponemon Institute, The Business Case for Data Protection (July 2009), pgs Steps to improve your Data Security and ensure your Customers Trust 11

12 Most importantly, a company s information security efforts are a reflection of that company s strategic vision, core values and fundamental ability to execute. Customers are going to pay closer attention to companies records on information security as the world becomes more interconnected and more transactions and sensitive information move online, customers are going to be increasingly interested in working with companies who they can trust with their information. Despite the many amazing technologies available in the modern business world, so much of business is still based on simple trust. Companies that embrace this truth will be well positioned for future success. Steps to improve your Data Security and ensure your Customers Trust 12

13 Company Profile Data protection was something unheard of when the first shredders were introduced in the 1960 s. Starting with the "electronic wastepaper basket" INTIMUS Simplex in 1965 the product range nowadays meets all the requirements imposed with regard to information assurance. It does not only contain devices for the shredding of classical data media, such as print outs, computer lists or even complete folders, but also features machines to destroy information on modern endpoint devices like CDs, floppy disks, Hard Disk Drives and Solid State Media. intimus Security Consulting is a concept to assist organisations worldwide to define, implement and monitor procedures for information security beyond the endpoint. More information is available under The MARTIN YALE GROUP was formed in 2003 by the former individual organisations MARTIN YALE Industries (North America) and Schleicher International (Germany). Today the Group has got an extensive worldwide distribution network with 7 branch offices and over 150 distributors. Contact Details MARTIN YALE GROUP Bergheimer Strasse Markdorf / Germany Tel / (0) / Fax 0049 / (0) / mailto: strunz@martinyale.de Steps to improve your Data Security and ensure your Customers Trust 13