Each time the words “data breach” hit the headlines, adrenaline spikes until it’s clear that some other company — not ours — is the victim this time.
It’s not a good rush, and those spared damage-control duty today are not high-fiving it — they know they could be in the hot seat tomorrow.
Companies are collecting more data than ever, storing it longer than necessary and yet lack effective controls to protect it. With BlackBerrys, laptops and portable data storage devices, such as memory sticks, in constant motion, companies don’t even know where their data are at any point in time.
There’s no easy fix for this liability problem, but companies can do something to mitigate risk: insist the human resources and information technology departments team up on data security strategy and management. Safeguarding personal or sensitive data — whether they are customer credit card numbers, intellectual property or competitive intelligence — involves people as much as technology, say human resources and IT executives. However, there’s a gulf between the two camps when it comes to handling sensitive data.
“I’m sure h.r. people will get very angry with this, but the h.r. silo and the IT silo prevent good things from happening,” said Larry Ponemon, chairman of the Ponemon Institute, which conducts data security research. “You need to have h.r. and IT security work together as a crisis management team.”
Joel Ronkin, executive vice president at Elizabeth Arden, rejects the silo mentality and said the beauty company’s h.r. and IT departments collaborate to protect assets including data.
“We let our employees know when we hire them of the need to protect company assets and maintain confidentiality, and we have our employees acknowledge this in their offer letters,” he wrote in an e-mail. “H.r. works closely with IT to make sure we safeguard all company property and data, not just employee records. It is hard to imagine how h.r. could not be heavily involved in properly protecting the company’s assets.”
Circuit City, Williams-Sonoma, Linens-N-Things and Dollar Tree are among retailers whose data breaches have come to light in the past 60 days, according to Privacy Rights Clearinghouse, an aggregator of security breaches. On Sept. 19, Boston apparel company Life Is Good notified customers that its database had been hacked, putting 9,250 names, addresses and credit card numbers at risk for fraud.
Related Articles
You May Also Like
Data breaches affecting nearly 94 million records were reported between February 2005 and last month, according to the Privacy Rights Clearinghouse. In some cases, malicious intent is involved; in other cases, data are just “lost” — misplaced or improperly discarded. Sometimes information goes missing with a missing laptop, stolen for its resale value and not the proprietary data stored on it.
Last month, the U.S. Commerce Department owned up to losing 1,138 laptops since 2001. Awful as that sounds, it’s not uncommon: Eighty-one percent of U.S. companies lost at least one laptop computer containing sensitive data in the last year, according to information security professionals surveyed by the Ponemon Institute in a recent study commissioned by Vontu, a San Francisco data-protection company. The majority of respondents (64 percent) admitted their companies have not inventoried their customer data or employee data. “Most organizations would never be able to determine what data was lost if a laptop, memory stick or another storage device was stolen,” said Ponemon.
Additional research released last month examines data security threats from the enemy within — when company employees or contractors put information at risk through carelessness, negligence or malice. While accidental data breaches are the most common (66 percent), it’s the malicious attacks that are most costly, according to another Ponemon report, commissioned by ArcSight, a Cupertino, Calif., security technology company.
Businesses whose data are stolen with malicious intent spend on average $8.1 million on remediation costs, including investigation, legal, audit and customer notification, according to the report. Companies whose data were compromised due to workers’ “lack of knowledge” on data handling policy or procedure shell out just $2.5 million to recover.
The good news is that h.r. can reduce accidental leakage of data by taking a proactive approach through training. Too often, IT is called in after a breach occurs, but the damage already has been done at that point.
“In my experience, h.r. hasn’t really seen this insider-threat problem as their problem,” Ponemon said. “If an issue is sexual harassment or business ethics, you get h.r. people front and center, dealing with it. But if it’s an issue of getting sloppy with data, I think a lot of h.r. people say, ‘I don’t want to take that on. I’m not an expert.’”
Nearly nine in 10 (89 percent) information technology professionals polled said the “insider risk” was a serious threat, according to the ArcSight study. In contrast, only 49 percent of those respondents believed chief executive officers view insiders as a serious threat to data security.
The disconnect between risk perceptions of ceo’s and information security executives did not surprise Zeke Duge, ceo for Smart & Final, a $2 billion grocery retailer. “Ceo’s will not admit their ‘children’ would behave maliciously against the very company that feeds them. This is a visceral reaction, as most of them will admit that intellectually. They recognize the threat.
“What is more baffling to me is that ceo’s will request stringent [data security] policies and yet want the network ‘open and easy to work with.’ Don’t even think of blocking access to Yahoo Finance for the execs,” Duge said, even though blocking access would better protect corporate networks. “To do so is to invite a potful of wrath.”
In many cases, data are exposed to risk while in the hands of insiders who are technically outsiders, such as auditors, technology vendors and other third-party companies. For example, personal information on 2.6 million Circuit City credit card holders was thrown into question last month when it was revealed that Chase Card Services mistakenly disposed of the information stored on tapes. The information may never fall into thieves’ hands — reports say the tapes are buried in a landfill — but risk remains, even if it’s minuscule.
“The loss of information from vendor partners has created new rules,” said Gary Preston, former h.r. executive and chief information officer for $22 billion Ahold USA. “It has redefined relationships with vendors,” he said, noting that “will hold harmless” clauses are now common in contracts involving handling of data. Preston, whose own personal information was compromised with the loss of a corporate laptop, is co-founder and managing partner of Preston-Reffett, an executive search firm based in Doylestown, Pa.
“The greatest risk today is the insider,” said Arnette Heintze, former chief security officer for PepsiCo and managing partner of Hillard Heintze, a Chicago-based security consulting company. “Osama bin Laden and the gang of fools that follow him are not coming over here to get you,” added the retired Secret Service agent. “That’s not your greatest threat. The greatest threat to American business is the people with the front-door keys and the keys to their networks.”