|
|
 | ||
| ||
|
|
|
News < Back Sarbanes Oxley : Auditing : Continuous Auditing Security As Opportunity Combating ID Theft From A Business Perspective
ID theft has shaken consumer confidence in electronic commerce; although only a fraction of ID theft occurs online, there is a growing (mis)perception that e-commerce is inherently insecure. In addition, the apparent lack of due diligence exercised by ChoicePoint and other so-called ?data brokers? has broken the public trust and fostered a belief that businesses do not handle consumer information in a responsible manner. Politicians, reacting to public outrage, have also framed ID theft as a consumer protection issue and are placing much of the responsibility on the shoulders of business. California was the first state to act in 2003 with the introduction of SB-1386, the bellwether law that requires companies that own or have access to personal information of California residents to notify affected residents if someone has accessed their data illegally or if the company even suspects that a security breach has occurred. Since that time, more than other 20 states have enacted similar laws, and federal lawmakers are jumping in line to get their names on new data protection bills. Unfortunately, the discussion around ID theft is so strongly focused around the consumer that business gets left out of the equation or?worse yet?cast in the same lot as the data thieves themselves. In fact, from the perspective of the business community, it can be argued that the consumer-oriented approach to ID theft prevention is itself part of the problem. To understand the full scope of ID theft and how to combat it from all angles, it is important to discuss the problem from a corporate perspective. Corporate Identity Theft When someone steals sensitive consumer information from an organization, that person is actually robbing the organization of three valuable assets: business information, brand value and self-determination for IT investments. All of these items have a quantifiable monetary value and are vital to any organization for sustaining competitive advantage. In fact, these three elements are often so central to the identity of an organization that, when a thief breaks into a company database and makes off with thousands of customer records, it is as if that person were stealing the identity of the company itself. Loss of Critical Business Information Data is the currency of the Information Age. The main reason thieves target personal data in the first place is because it is so easy to monetize. However, consumer data is not the only type of critical business information that is vulnerable to theft or unauthorized access. Inspect the IT infrastructure of any major organization and you will likely find sensitive business information strewn around the perimeter of the enterprise on unsecured laptops, PDAs, smart phones and other mobile computing devices. Loss of Brand Value As companies such as ChoicePoint and Wells Fargo can attest to, identity theft can cause severe damage to the brand value and public image of an organization. While PR and brand awareness are not as easy to monetize as critical business information, an event such as a security breach can become the worst kind of viral marketing campaign your company could ever imagine. ChoicePoint, for example, has become a well-known consumer brand whose notoriety is surpassed only by luminaries such as WorldCom, Tyco and Enron. Self-Determination for technology investments Right now, there are no fewer than five separate bills before Congress that deal with data privacy and security. The most widely supported of these is the so-called Specter-Leahy bill. Specter-Leahy mandates that organizations must take two major actions: ? Implement data and security programs to safeguard consumer records ? Notify authorities when a security breach occurs and make public notification if there is a likely chance that the stolen data has been or will be misused. Even if Specter-Leahy is defeated or amended, there are plenty of laws already on the books that have raised the standards for data protection, including HIPAA, Sarbanes-Oxley, GLBA and the aforementioned SB-1386. The bottom line is that compliance eats up a tremendous amount of time and money, robbing a company of the right to determine its own budget and roadmap for technology investments. Transforming data security into business opportunity At this point, you might have the impression that strengthening your data security is something you have to do in order to prevent the loss of critical business information, the loss of brand value and the loss of self-determination for IT expenditures. Compelling, perhaps, but only in the way you feel compelled by the IRS to pay your taxes. By contrast, if we view the issue of data security from a business-oriented perspective, it becomes an opportunity to protect critical business data, add brand value and increase the return on IT investments. The challenge then becomes how to implement data security in the most effective and efficient way possible. Take encryption as an example of how to view data security as a strategic opportunity. Encryption is the best and only true way to protect sensitive information such as consumer data from unauthorized access (as opposed to malicious authorized access where an insider steals the data). Yet some organizations resist the idea of using encryption because they are afraid they will lose their sensitive data. Ironic, isn?t it? An organization that operates on this basis will probably wait to encrypt their sensitive data until after a security breach occurs, at which point the damage has already been done. In contrast, those who adopt a security-as-opportunity model (a proactive, rather than reactive, approach) are more likely to implement encryption in a strategic manner. Encryption is a particularly powerful method for securing data at the perimeter of the corporate network, where it often leaves the office on laptops, PDAs and removable storage devices. Even more important is to encrypt the hard disk or memory chip itself, not just specific files or file types. These days, it is all too easy for someone to comb through temp files, recover deleted data or hack into the operating system itself. Second, any organization that uses encryption to secure data will have a ready response for authorities and the public in the event of a security breach. The mantra to apply here is: ?yes, a laptop with 10,000 customer records was stolen, but since we encrypt the hard drives on all our computers, there is no way the thief can get to the data.? What could have been an embarrassing public confession is thus transformed into a legitimately positive PR event and an opportunity to cast the company as one of the ?good guys? while building consumer trust and confidence in its brand. Third and most importantly, encryption is one of the most comprehensive and cost-effective methods for managing compliance with data security regulations. Some laws, such as SB-1386, make specific exceptions for encrypted data. Most other regulations, including Specter-Leahy, HIPAA, Sarbanes-Oxley, either recommend or require encryption as part of a data security program, and nearly every federal governing body (the SEC, FTC, FDA, NIST and so on) endorses encryption as an effective safeguard. The key using encryption or any other data security solution is to act quickly and proactively with clear strategic goals in mind. By adopting a security-as-opportunity approach, you can stay several steps ahead of criminals, competitors, the media and regulators, transforming the ball-and-chain of data security into a driving strategic advantage for your organization. 
|
|
|
||||||||||||
 | |||
| |||
| |||
|
© 2019 Simplex Knowledge Company. All Rights Reserved. | TERMS OF USE | PRIVACY POLICY |
