Little time passes these days before we hear news of yet another breach of customer data. The cyber security industry is nearing $80 billion in annual revenues, and pundits abound in every major newspaper and Internet media outlet in the land. Rick Wesson, CEO of Support Intelligence, was recently quoted in a New York Times opinion piece: “If you’re looking for a digital Pearl Harbor, we now have the Japanese ships streaming toward us on the horizon.”
Obviously, we’re frustrated. Bankers, bank customers, credit card companies, law enforcement, government – We want personal information to be secure. We spend, re-execute our risk assessment, plan, and spend even more, and still the data breaches continue. And even with all the legislation, regulations, and standards out there, we’re quickly learning that compliance doesn’t always equal security, and security doesn’t always equal compliance.
Many wonder: ‘Why haven’t we stopped these data breaches altogether?’ Perhaps it’s because of how information has traditionally been viewed. It is well documented that organized crime, terrorist groups, and hackers will often work together for financial gain. Criminals have figured out that personal information can be as good as cash.
So let’s explore that for a moment by looking at how a financial institution handles cash. Institutions have developed strict cash handling procedures that have evolved over time. Institutions know exactly how much cash is in each teller drawer, branch safe, and ATM at all times. This cash balance is known at all times all the way up to the level of CEO.
Now consider personal information. Do we always handle personal information in as controlled a manner as cash? Do we keep close tabs on who has access to this personal information? Do we know who has accessed the personal data and what they did with it? It would seem that most organizations know far less about their information assets than their cash. This is likely due to the fact that, as little as 20 years ago, personal information was not viewed as cash.
Let’s explore how a “cash” approach to information management might change our ability to protect information assets.
Four key questions should be asked when determining whether personal information is safe:
Let’s explore these questions from a “cash” point of view:
Companies need to know where their customer data is at all times. Computers make our lives easy, but they also offer a myriad of places to store data. Personal information can be stored on this file server, or that one, on an employees desktop PC, or even on a laptop that leave the office on weekends or business trips.
Imagine doing that with cash! We know that the more dispersed our assets are, the more difficult they are to protect. Institutions know that it’s easier to protect cash when it’s stored in fewer locations. So why not take the same approach with personal information? It will be easier to protect the personal information you maintain if it is stored in the fewest locations possible.
Companies need to know who has access to their personal information. Many data breaches are executed through the use of legitimate user IDs, in some cases with access rights that are too broad. Access to personal information should be given only to those who truly need access based on their job function. Again, looking at the cash analogy, not everyone needs access to the branch vault, right?
Gaining access to personal information should be a controlled procedure that requires some level of approval. And once access is granted, it should be reviewed on a periodic basis. People move from one job to another, and job functions can change. It makes good business sense to periodically validate that Joe Smith still needs the access he was given two years ago.
We’re really talking about risk assessments here. Every bank and retail store protects its cash at rest and in transit through the use of vaults, locked teller drawers, armored cars, and dye packs. The FDIC’s Rules of Practice and Procedure requires financial institutions to document all reasonably foreseeable vulnerabilities and all relevant controls for cash. The Graham Leach Bliley Act requires financial institutions to apply the same principles to their information assets.
Companies that store customer information assets need to document and assess the controls over data, noting any gaps in security. This basic step will enable you to determine the most appropriate actions to reduce your level of risk.
While this may be the most difficult task on your security list, it remains the most important. Reviewing the Hannaford, TJX and possibly Heartland incidents, it appears that the criminals used legitimate access rights to install malware on these systems that enabled them to capture customer information.
This is much like an individual granting himself, or herself access to the branch vault and using it to slowly siphon off cash. Your company can protect itself by carefully monitoring what has changed in the environment to ensure that the activity is legitimate.
The overriding theme here is to be vigilant and protective. Implementation of the cash model for information management isn’t easy and grows in complexity with the size of the organization. Companies with many employees, multiple locations, and complex networks may face a seemingly insurmountable task.
Still, the question is not whether we can afford to apply the banker’s “cash” model of oversight to information management. The question ought to be: Can we afford not to?