Customers Trust. Whitepaper



Similar documents
Stopping Leaks: How to Confront the Challenges of Endpoint Information Security from HDD. Whitepaper

Trustworthy Mobile Security for Smartphones, Tablets, etc. Is there an App for that?

Aftermath of a Data Breach Study

PCI Compliance for Healthcare

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Whitepaper. Best Practices for Securing Your Backup Data. BOSaNOVA Phone: Web:

Security of Paper Records & Document Shredding. Sponsored by Cintas. Independently conducted by Ponemon Institute LLC Publication Date: January 2014

Small businesses: What you need to know about cyber security

Information Security

S22 - Employee and Customer Awareness Turning Vulnerabilities Into Sentries John Sapp

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Cybersecurity and the Threat to Your Company

Small businesses: What you need to know about cyber security

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity

Malware isn t The only Threat on Your Endpoints

Data Breaches, Identity Theft, and Employees

Mitigating and managing cyber risk: ten issues to consider

Cyber Self Assessment

Cybercrime: risks, penalties and prevention

GUIDE TO IMPROVING INFORMATION SECURITY IDENTIFYING WEAKNESSES & STRENGTHENING SECURITY

CYBERSECURITY: Is Your Business Ready?

Remarks by. Thomas J. Curry. Comptroller of the Currency. Before the. Chicago. November 7, 2014

Corporate Spying An Overview

A practical guide to IT security

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

Hope for the best, prepare for the worst:

FIVE PRACTICAL STEPS

The Merchant. Skimming is No Laughing Matter. A hand held skimming device. These devices can easily be purchased online.

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Cyber Security - What Would a Breach Really Mean for your Business?

Cybersecurity Workshop

10 Smart Ideas for. Keeping Data Safe. From Hackers

Network Security: Policies and Guidelines for Effective Network Management

Leveraging a Maturity Model to Achieve Proactive Compliance

How One Smart Phone Picture Can Take Down Your Company

How to Protect Sensitive Corporate Data against Security Vulnerabilities of Your Vendors

Protecting. Personal Information A Business Guide. Division of Finance and Corporate Securities

CORPORATE IDENTITY FRAUD: A PRIMER

Data Breaches: Expectation and Reality

What the Biggest Data Breaches in Retail Have Taught Us about Cyber Security

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

NNIT Cybersecurity. A new threat landscape requires a new approach

The Importance of Senior Executive Involvement in Breach Response

To all GRSB debit and credit card customers:

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.

Hope for the best, prepare for the worst:

Teradata and Protegrity High-Value Protection for High-Value Data

TechTarget Enterprise Applications Media. Pocket E-Guide

Global security intelligence. YoUR DAtA UnDeR siege: DeFenD it with encryption. #enterprisesec kaspersky.com/enterprise

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

VENDOR MANAGEMENT. General Overview

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

Cyber threat reality check GLOBAL TECHNOLOGY S RISK ADVISOR SERIES TURN RISK INTO ADVANTAGE THE THREAT IS GROWING IGNORING IT CAN BE COSTLY

Cyber security Building confidence in your digital future

BIG SHIFT TO CLOUD-BASED SECURITY

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

Matthew Howes Senior Vice President, Strategic Services inventiv Digital+Innovation

Data Security in the Evolving Payments Ecosystem

Cybersecurity: Safeguarding Your Business in the Digital Age

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

WHITE PAPER THE TOP 5 MYTHS OF DATA BREACHES

Nine Steps to Smart Security for Small Businesses

Cybersecurity. Are you prepared?

2012 Endpoint Security Best Practices Survey

Reputation Impact of a Data Breach Executive Summary

THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED

Cyber Security Management

Assessing the strength of your security operating model

How To Protect Your Restaurant From A Data Security Breach

Security and Privacy Trends 2014

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

How-To Guide: Cyber Security. Content Provided by

Sytorus Information Security Assessment Overview

How Companies and Consumers Can Protect Themselves

Remarks by Thomas J. Curry Comptroller of the Currency Before the New England Council Boston, Massachusetts May 16, 2014

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

$194 per record lost* 3/15/2013. Global Economic Crime Survey. Data Breach Costs. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP

4 Steps to Better Security In The BYOD Era For Your Company.

Data Security: Fight Insider Threats & Protect Your Sensitive Data

Network Security & Privacy Landscape

AUTOMATED PENETRATION TESTING PRODUCTS

Deciphering the Code: A Simple Guide to Encryption

Why Lawyers? Why Now?

The Impact of Cybercrime on Business

AUTOMATED PENETRATION TESTING PRODUCTS

OVERVIEW. With just 10,000 customers in your database, the cost of a data breach averages more than $2 million.

Employing Best Practices for Mainframe Tape Encryption

October 24, Mitigating Legal and Business Risks of Cyber Breaches

Collateral Effects of Cyberwar

WRITTEN TESTIMONY BEFORE THE HEARING ON PROTECTING PERSONAL CONSUMER INFORMATION FROM CYBER ATTACKS AND DATA BREACHES MARCH 26, :30 PM

ERM Symposium April Moderator Nancy Bennett

Data Security in Development & Testing

A NEW APPROACH TO CYBER SECURITY

Network Security and Data Privacy Insurance for Physician Groups

Testing the Security of your Applications

the evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group

IN CASE OF EMERGENCY. A guide for managing a data breach quickly and confidently

Transcription:

Steps to improve your Data Security and ensure your Customers Trust intimus consulting is a division of the MARTIN YALE GROUP Bergheimer Strasse 6-12 88677 Markdorf / Germany www.intimusconsulting.com Steps to improve your Data Security and ensure your Customers Trust Whitepaper

Steps to improve your Data Security and ensure your Customers Trust Summary Information security is not just a marginal activity for today s companies; it is central to a company s daily operations, brand image and customer relationships. The way that a company handles its information security procedures reflects on every other aspect of how the company is run and what the company stands for. If a company has conscientious, thorough information security practices, its customers can feel confident that their information will be protected. On the other hand, if a company has disorganized, erratic information security practices that company is more likely to end up in the news as the latest example of corporate information assurance gone wrong. Steps to improve your Data Security and ensure your Customers Trust 2

Content Increasing Threats to Data Security 4 Recommendations 5 Conclusion 11 Company Profile 13 Contact Details 13 Steps to improve your Data Security and ensure your Customers Trust 3

Increasing Threats to Data Security Even the best-laid information security plans can still fail to prevent data breaches. To some extent, many senior executives are starting to take the position that data breaches are bound to occur; it s not a matter of if but when. According to a recent survey of CEOs and senior executives, 82% reported that their organization had experienced a data breach, and most were not confident that they would be able to prevent a data breach during the next 12 months. 1 One challenge for every information security officer is that the threats to data security are multiplying fast; every day, billions of bytes of information are created, stored, shared and disseminated to millions of people all over the world. Organized networks of cyber criminals lurk online, checking for weaknesses in corporate firewalls, looking for ways to steal credit card numbers, identity information and other sensitive data. In addition to the newly created information and the ever-evolving threats of cybercrime, many companies are vulnerable to old-fashioned threats posed by improperly handled paper records, or by years-old archives of information stored on obsolete formats of data storage devices. Any of these magnetic data storage devices or optical storage media could expose a company to lawsuits and embarrassing publicity if they were to fall into the wrong hands. Confidential customer information, trade secrets, and other sensitive information need to be protected. This is one of the major challenges for business leaders in our time. The full scope of information that could potentially pose a risk, and the full range of threats, is unprecedented in human history. But does that mean that data breaches are inevitable? Are companies forced to just stand by, and hope to mitigate the worst effects of data theft? 1 Ponemon Institute, The Business Case for Data Protection (July 2009), pg. 17. Steps to improve your Data Security and ensure your Customers Trust 4

Recommendations Just because data security is increasingly complex, costly and risky does not mean that companies are helpless to prevent data breaches. There are many steps that companies can take in order to better manage their risks, maintain the trust of their customers, and preserve their reputations. Develop an information security strategy: Data protection is not a matter just for the Legal department, Compliance team or Information Technology staff; it is a matter of strategic importance to the company and must be addressed at the highest levels of the company by creating a comprehensive strategy. The company needs to establish overarching goals, best practices and key principles for how its information is going to be managed, including record retention schedules, designated contact persons for information security questions, and compliance teams to monitor and enforce the information security policy. Enforce the overall information security strategy: Senior management needs to create a reporting structure for information security to ensure that people are held accountable for complying with the strategy. Errors and failures to comply need to be noted, reported and followed up information security is an ongoing process, and whenever a weakness is discovered, it needs to be investigated and corrected so that the overall information security system continues to strengthen and evolve. Connect the information security strategy to the overall vision and values of the organization make sure that people understand on a fundamental level that information security is an important part of the company s mission. Provide training for employees (including temporary employees and contractors): All employees need to receive thorough training in how to safeguard sensitive information, how long to retain various types of information, and how to properly dispose of sensitive documents and data storage devices. The company s top leaders need to continually communicate the information security policy and strategy to all levels of the organization; people need to be regularly reminded of the importance of sound practices and diligent attention to detail. Even the smallest mistake or oversight can lead to damaging consequences. Steps to improve your Data Security and ensure your Customers Trust 5

Put data security controls in place: According to a 2008 study from the Verizon Business Risk Team, 87% of data breaches could have been avoided if reasonable data security controls had been in place. The study says, Traditionally, organizations have aligned their focus on building security controls around the network perimeter, and in many cases, have turned a blind eye toward data within the network. While a strong network perimeter is important, it cannot be the only or even the main layer of protection around sensitive information assets. Information itself wherever it flows must be the focus of security efforts. 2 Many companies focus on building strong firewalls and other external security measures, but they fail to monitor their internal data security measures which are often the ones that are more important in preventing data breaches. Back up company policy with actual processes: Also according to the Verizon 2008 study, in 59% of data breaches, the victim organizations had formal policies in place, but did not enact the policies with actual processes. 3 This means that these companies did not keep their promises to themselves; they knew what needed to be done, but they failed to do it. It s not enough to write detailed policies and grand visions of what the company is going to do about information security; the work also has to be implemented and brought to life in everyday operations. Test, test, test: Companies also need to include compliance checks and testing as part of their information security operations it s not high-tech or glamorous, but it s one of the best ways to reliably ensure that a company s data security plans are actually being carried out. 2 Verizon Business Risk Team, 2008 Data Breach Investigations Report, pg. 26 3 Ibid. Steps to improve your Data Security and ensure your Customers Trust 6

Data thieves look for weaknesses plan accordingly: According to the Verizon study, the overwhelming majority of data breaches were achieved by attacks that were not considered difficult (83%) or by opportunistic attacks (85%). 4 This illustrates a point that is well-known to many police detectives: most criminals are lazy and unimaginative. Given the choice between picking the lock of a complex network firewall, or picking up a box of improperly discarded documents and data storage devices, most data thieves will take the easy way out every time. Companies are more likely to have their data security compromised by the small stuff (improperly disposed documents and storage devices) rather than be vanquished in a technological wizard s duel by a sophisticated cyber criminal. 4 Ibid. Steps to improve your Data Security and ensure your Customers Trust 7

Take care of storage media: In the Ponemon Institute s survey of CEOs, 22% of respondents said that incorrect disposal of storage media was the greatest risk to sensitive data at their organizations this was the third highest rated response. 5 There are many steps that companies can take to properly dispose of their storage media, ranging from shredding (paper), to Secure Erase (hard disk drives), to grinding (optical storage media CDs and DVDs), degaussing (hard disk drives and other magnetic storage media) and disintegration (other solid state media). Companies that are serious about information security have more weapons at their disposal than ever before there s no excuse for improper disposal of storage media; if it contains information that might potentially pose a risk, it s worth making an investment in the equipment to properly dispose of the media. Bar Chart 1: from Ponemon Institute, The Business Case for Data Protection (July 2009), pg. 8. 5 Ponemon Institute, The Business Case for Data Protection (July 2009), pg. 8. Steps to improve your Data Security and ensure your Customers Trust 8

Take precautions with business partners: A company s information security is ultimately only as strong as the practices of that company s business partners vendors, suppliers, contractors, and other entities who might deal with the company. Business partners were implicated knowingly or unknowingly in 32% of all data breaches, according to the 2009 Verizon Data Breach Investigations Report. 6 To keep business partners from exposing a company to risk, it is important to measure business partners security controls, include clear language in contracts that refers to responsibilities and liabilities for data breaches, and avoid divulging any sensitive information to a business partner that is not on a need to know basis. According to the Ponemon Institute, while the average cost of a data breach (during 2008) was $6.65 million, the per victim cost of data breaches involving outsourced data was $52 higher. 7 This indicates that a lot of companies would benefit from implementing better vendor management programs to monitor their business partners data security practices after all, any time a company shares information beyond its walls, there is a chance that the information can be lost, stolen or mishandled. Create a data retention plan: According to the Verizon 2008 report, 66% of data breaches involved data that the victim organization did not know was there. 8 What a company doesn t know can definitely hurt. This is one reason why it is so important for every company to have a data retention plan/record retention schedule as part of its overall information security strategy. Companies need to know what kind of data they have and how much of it there is. They need to know where the information is stored, who has access to the information, and how long the information needs to be kept. Companies should also adopt a when in doubt, throw it out approach unless there is a compelling business need, companies should avoid creating additional copies of old data, or holding on to data storage devices longer than necessary. If the information is no longer sitting around in storage, it is no longer a threat. 6 Verizon Business Risk Team, 2009 Data Breach Investigations Report, pg. 2. 7 CIO, Costs of a Data Breach: Can You Afford $6.65 Million? Dr. Larry Ponemon, Feb. 4, 2009 8 Verizon Business Risk Team, 2008 Data Breach Investigations Report, pg. 26 Steps to improve your Data Security and ensure your Customers Trust 9

Create an incident response plan: Hope for the best, plan for the worst this principle also applies to information security. Companies need to do what they can to prevent data breaches, but in the event that a data breach occurs, companies need to be prepared. An incident response plan will allow the company to assess the situation, collect evidence, determine the scope of the breach, contact affected customers, and work with law enforcement and regulatory agencies as needed. Data breaches are not inevitable, but if one occurs, the company must be ready to respond and move forward with confidence and a calm sense of direction. In the event of a data breach, act with all deliberate speed. Make sure you understand the applicable laws and reporting requirements for your location; depending on the situation, not every data breach needs to be publicly announced and reported, especially if no individual people s information was compromised. If you do have a data breach that requires reporting, be prepared to act fast. Make sure to notify the affected people as soon as reasonably possible; don t let the local news media spread the story before you ve had a chance to contact the people whose data has been compromised. Also be prepared to offer detailed information and assistance to customers or business partners affected by the data breach as Dr. Larry Ponemon says, Don't just give a script to the call agents -- give out a toll-free number where people can reach someone with enough internal knowledge to get them to the right person." 9 9 CIO, What, When and How to Respond to a Data Breach. Lamont Wood, April 27, 2007. Steps to improve your Data Security and ensure your Customers Trust 10

Conclusion Data breaches are not inevitable. Companies do not have to resign themselves to data theft, costly problems and embarrassing news headlines. There are many ways that companies can reduce their risk of data breaches while boosting their customers confidence and there is definitely a connection between these two goals; information security is not just a matter for IT and internal operations; it is also a matter that affects marketing and sales. 57% of CEOs surveyed said that information security increases the value of their companies by increasing customer loyalty and reducing customer turnover, and 80% said that information security helps to improve their overall brand image. 10 With customers more concerned than ever about identity theft and the various mysterious and complicated risks of doing business in an online, interconnected world, customers are more likely to turn to companies that can promise (and deliver) a robust, thorough and well-thought-out information security policy. By developing a comprehensive strategy for information security, putting good processes in place, training employees (and contractors), keeping control of digital storage media, understanding business partners information security practices, and creating good plans for data retention and emergency response in case of a data breach, companies can mitigate the biggest risks and enjoy the biggest benefits. A good information security strategy with the right training, the right equipment and the right advice is an investment, but it s an investment worth making. According to the CEOs surveyed by the Ponemon Institute, the average ROI of information security programs was 4.3 to 1 $4.30 in cost savings and revenue improvements for every $1 spent. 11 Preventing data breaches does not have to be a losing battle. In fact, it can even show positive gains for a company s bottom line! 10 Ponemon Institute, The Business Case for Data Protection (July 2009), pg. 10. 11 Based on a median extrapolated value of $16 million in cost savings or revenue improvements from data protection efforts, divided by a median extrapolated value of $3.7 million annual budget dedicated to data protection. Ponemon Institute, The Business Case for Data Protection (July 2009), pgs 11-12. Steps to improve your Data Security and ensure your Customers Trust 11

Most importantly, a company s information security efforts are a reflection of that company s strategic vision, core values and fundamental ability to execute. Customers are going to pay closer attention to companies records on information security as the world becomes more interconnected and more transactions and sensitive information move online, customers are going to be increasingly interested in working with companies who they can trust with their information. Despite the many amazing technologies available in the modern business world, so much of business is still based on simple trust. Companies that embrace this truth will be well positioned for future success. Steps to improve your Data Security and ensure your Customers Trust 12

Company Profile Data protection was something unheard of when the first shredders were introduced in the 1960 s. Starting with the "electronic wastepaper basket" INTIMUS Simplex in 1965 the product range nowadays meets all the requirements imposed with regard to information assurance. It does not only contain devices for the shredding of classical data media, such as print outs, computer lists or even complete folders, but also features machines to destroy information on modern endpoint devices like CDs, floppy disks, Hard Disk Drives and Solid State Media. intimus Security Consulting is a concept to assist organisations worldwide to define, implement and monitor procedures for information security beyond the endpoint. More information is available under www.intimusconsulting.com. The MARTIN YALE GROUP was formed in 2003 by the former individual organisations MARTIN YALE Industries (North America) and Schleicher International (Germany). Today the Group has got an extensive worldwide distribution network with 7 branch offices and over 150 distributors. Contact Details MARTIN YALE GROUP Bergheimer Strasse 6-12 88677 Markdorf / Germany Tel. 0049 / (0) 75 44 / 60-235 Fax 0049 / (0) 75 44 / 60-248 mailto: strunz@martinyale.de www.martinyale.de Steps to improve your Data Security and ensure your Customers Trust 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information