Few things damage customer trust more than a breach of confidential information. Consider that in a survey of consumers, the Ponemon Institute found that 60 percent terminated or considered terminating business with companies that notified them that they had mishandled their private information. Data breaches also have a real impact on the bottom line: $182 for each lost customer record in direct costs, lost productivity, and lost customer opportunity, according to Ponemon.
Historically, businesses' approach to managing data security risks has been more reactive than proactive. "Most organizations have been plugging holes," says Rich Mogull, a research vice president at Gartner Research. But as the risks have escalated, attitudes and approaches have started to change. "Particularly with the new disclosure laws, there is real money involved," says Mounil Patel, vice president and research director at AberdeenGroup. "People are losing their jobs, and when CIOs are worried about losing their jobs, they are more proactive."
A proactive approach to data breach and customer privacy protection starts with encryption of mobile devices, but organizations are also turning to automated monitoring, data discovery and beefed-up authentication technologies to add an extra layer of security. Read on to learn what Sharp Healthcare and Zions' Bank are doing to put company executives and, more importantly, customers at ease.
The Problem of Portability
Click to enlarge in another window
More than 90 percent of all breaches result from the loss of electronic information (versus about 9 percent for information in paper form), and the single biggest vulnerability is the loss of laptops and portable devices including removable hard drives and thumb drives (see "Breach Source," at left). A security policy that includes rules on storing data on mobile media as well as physical, device-level security mechanisms is important. However, when device loss does occur, PGP (pretty good privacy) public key encryption remains the strongest defense against data loss. Equally important, it gives a company an exemption against disclosure laws.
"Just encrypt the freaking laptops!" says Mogull. "If you have sensitive data, it's a no-brainer."
The use of encryption is increasing (see "Use of Encryption by Data Type," at right). However, encryption is still complex, expensive to deploy and difficult to manage. Rather than practicing full-disk encryption, some organizations are adopting newer approaches in which a rights-management layer is added to the encryption process. As sensitive information is created or as it is accessed from core systems, it is automatically tagged as such, and only then is it encrypted and tracked.
"Where traditional approaches to encryption don't work well is where people have legitimate access to the data," says Patel of Aberdeen. "If users have to hit a button every time they create a spreadsheet, they will get irritated. We are still early in the adoption curve [of automated encryption] because it requires thinking to put together policies, but the trend [in usage] is definitely upward."
Discovering Sensitive Data
The most secure solution to the portable-data problem is to never store sensitive information on those devices, but that's simply not practical in business environments in which users expect unfettered access to information and have legitimate reasons for accessing, sharing and storing data. Instead, businesses do better to invest in technologies that help monitor where sensitive data resides and enforce data security policies.
Monitoring has been around since the first time someone reviewed a database access log. However, dealing with the typical enterprise volume of logs, sniffers and security systems demands an automated approach. Database activity monitoring software "sniffs" database queries to track access to particular data. When combined with business intelligence, this software can also look for abnormal access behavior, such as a DBA running a query on a list of credit card numbers or sales reps requesting information on customers outside their territory.
Content monitoring and filtering, also known as data-loss prevention, provides a benefit beyond encryption and rights management. For instance, while rights management applied to a spreadsheet can prevent unauthorized e-mailing of that spreadsheet, content monitoring can dissect e-mail messages to ensure that the content of a spreadsheet hasn't simply been re-typed to avoid rights-management controls.
"The next level of these tools offers discovery—the ability to crawl around storage of sensitive information in your network that you might not be aware of," Mogull says.
Discovery was a key capability sought by Sharp Healthcare. The San Diego-based health care provider was satisfied with the security of its core business systems and databases, but wanted to assess file and print servers as well as networked devices. In late 2006, the company deployed a data-loss prevention system from Vontu. The solution samples a representative slice of sensitive data from a database, such as names, addresses and social security numbers, and when a match is found, the system uses business rules to create a priority list of incidents for Tobia's team to address. For instance, a file found on a server, desktop, or laptop that contains names, addresses, and social security numbers would generate a higher-priority alert than a file containing just a list of addresses.
"We contact the owners of those files and make sure they're following established security procedures," says Paul Tobia, information systems security manager. "It also helps us comply with requirements to document data outside our core systems."
Tobia says Sharp Healthcare runs "gigabytes a week" through the software, and he adds that without automation, the company would otherwise have to rely on "a ton of people" to handle the assessments.
The company now plans to use Vontu to monitor network traffic to detect sensitive data in motion. The role of the system is to help users comply with good security policy, not to harass them, says Tobia. "Our first goal is to understand why someone needs to move data from one location to another," he explains. "With that need in mind, [we help them figure out] the most secure way to get that data where it needs to go, whether it's encrypted e-mail or secure file shares that can be locked down."
There can be no secure access to data without authentication. It's something that's more important than ever to build customers' trust in a company's data-security practices. Customers now expect to see more than just a security lock on a Web site before divulging personal data, and industry practices and regulations are making stronger authentication a top priority.
For instance, chances are that sometime in the past few months when you logged onto an online banking site, you've had to go through a new authentication procedure that might have included choosing unique images, selecting pass-phrases, setting up challenge questions and agreeing to registering your access device. Those measures are likely in response to Federal Financial Institutions Examination Council (FFIEC) authentication guidelines that took effect on January 1 of this year.
Salt Lake City-based Zions Bank uses RSA's Adaptive Authentication solution to provide site-to-user and user-to-site authentication in its online banking service. The bank deployed the system last July, and enrollment in what it calls its "SecurEntry" system is now mandatory for bank customers.
The RSA system displays a user-selected pass-phrase to authenticate the site to the user. To authenticate the user to Zions Bank, SecurEntry starts with a conventional name and password, but also records IP addresses and collects "forensics" such as browser platform and operating system version to create a layered security solution. The system is adaptive, developing a rolling profile of users' login activity. Login attempts outside these profiles will trigger challenge questions.
For ROI-focused companies that have struggled with the cost-benefit of security solutions, building customer trust can turn into a measurable reward. Zions, for instance, has seen increased reliance on its online customer service channel (reducing phone- and branch-based service costs) as well as a deterrent value. "Today the 'bad guys' are attacking the easiest targets," explains Preston Wood, Zions' chief information security officer. "As we've strengthened our authentication, we haven't seen as many attacks."
Striking a Balance
In the rush to address all the technological challenges of data security, businesses have to be careful not to put legitimate users and customers through hell. That's one reason why Sharp Healthcare hasn't automated its policy enforcement yet, even though its new security systems could automatically block access to or movement of certain types of data.
"If you come out of the gate and start blocking everything, you'll have a big fight with your business units," says Tobia, adding that the deployment would likely fail. "We are taking a conservative approach, starting with a base set of policies, following up on a case-by-case and person-by-person basis, and monitoring the effectiveness of those policies. When we're comfortable with what we're capturing, we can more fully automate enforcement."
Ultimately, "You want to train people to be conscientious," says Patel. "That will help companies' view of [security] to change from being something that goes on after the fact and under the radar to being something proactive that has a benefit to both the business and its customers."