Protect Your Customer's Data

As if angry customers, declining consumer confidence, and the threat of fines weren't enough, business executives have something new to mull on the troubling issue of lost or stolen customer data. Two U.S. senators are floating the prospect of jail time for business leaders who knowingly conceal such breaches. If top managers can't secure data in a well-guarded environment, well, perhaps they'll find themselves in one.

Things aren't that dire yet, but it's a sign of how fed up people have become with the endless reports of customer data that's been hacked, stolen, lost in transit, or otherwise mishandled. Strategic planning is probably in order to address the problem, but some steps can't wait. Business and technology managers must take action right away. Today wouldn't be too soon to start.

The broadening scope of the gaffes shows no company is immune. CardSystems Solutions Inc. earlier this month revealed a security breach that, according to MasterCard, exposed data on potentially more than 40 million payment-card accounts. UPS Inc. recently lost tapes containing the names of 3.9 million Citigroup customers. Bank of America, Ameritrade, and Time Warner have lost backup tapes, too. In March, DSW Shoe Warehouse disclosed the theft of credit-card data on 1.4 million customers.

No wonder the president of the American Automobile Association of Reading-Berks in Berks County, Pa., wanted to speak with IT director Peter Wallace after he heard about the CardSystems fiasco. The topic: his organization's own level of security. "The news out there makes people ask questions," Wallace says.

That's a good starting point. But you'd better have some good answers--or get them fast. A Deloitte Touche Tohmatsu survey found that only two-thirds of financial-services firms queried had a defined security program in place, and 18% were drafting one.One reason for the laggards may be a continuing disconnect between top-level executives and IT-security managers in some companies, says Dave Stampley, general counsel and compliance specialist at Neohapsis Inc., an information-security consulting firm. (Stampley writes an online column on security for InformationWeek.) That's partly because the vocabulary of system security--encryption, firewalls, patch management--doesn't translate easily into business-speak, he says. However, with financial losses and brand damage ratcheting up, the fact that data security is critically important is dawning on top executives. The threat last week from Sen. Arlen Specter, R-Pa., and Sen. Patrick Leahy, D-Vt., of legislation prescribing prison sentences, drives the point home.

The first steps for any company reassessing its data-security posture are to take an inventory of all data assets, especially customer data and other sensitive information, and determine the company's vulnerability and what might happen if that data were to be lost or stolen, says Ken Silva, chief security officer of security-software company VeriSign Inc. and former technical director with the National Security Agency.

HNTB Corp. already takes care that sensitive internal data isn't exposed to outsiders, IT manager Travis O'Dell says. But the engineering firm's human-resources department wants to raise the bar two notches. It wants to encrypt employee medical data and store the information in a secure area that only employees can access.

Businesses also are scrutinizing how they move data around, both when sharing it with business partners and customers or for backup and archiving purposes.

Data encryption is one area where companies-including some with detailed customer-data-protection plans-see a chance for immediate gains. Too many have been lulled into a false sense of security by hiring professionals to transport unencrypted tapes to off-site facilities. "The moment someone picked up the tapes, we felt the chain of security hadn't been broken," says Joshua Levine, chief technology and operations officer at E-Trade Financial Corp., which hasn't reported any major breaches or data losses. "Now we recognize we should have thought, 'What happens if the chain is broken?'"Since its brush with notoriety, Bank of America has taken steps to improve its tape-tracking procedures, and it's testing data encryption. Likewise, Citigroup next month will begin sending encrypted data electronically, rather than unencrypted on physical tapes. And BMO Financial Group (formerly the Bank of Montreal) is considering changes. "We're looking at solutions that could encrypt a tape so that the risks of losses during transit are minimized," says Vivek Khindria, senior manager of security practices.

Acxiom Corp., which maintains huge marketing databases of consumer information, was itself the victim of several highly publicized hacking incidents in 2002 and 2003 and has since taken extensive steps to strengthen its security practices. The company not only encrypts data as it's transmitted to clients, but increasingly is encrypting stored "data at rest," says chief security leader Frank Caserta. Acxiom is encouraging clients to do the same and is even providing them with encryption tools and services.Companies need a better view of what attacks they're facing. Many have intrusion-detection systems, firewalls, and other security mechanisms, but each wave of attacks churns out more information to be monitored. For one major oil company, Accenture built a dashboardlike display that correlates data from the mix of network-security systems in order to develop a deterrence policy. "Companies have to get more sophisticated at analyzing and using data generated by systems at the edge of their networks," says Alastair MacWillson, global managing partner of security practices at Accenture.

In addition, the oil company set minimal levels of security for all Windows and Unix servers, then implemented a system to spot if any of the servers has been modified. "Everything, from servers to workstations to switches, needs to be configured with security in mind," MacWillson says. Application-level security also must be at least as strong as network security. "You can have a highly secure SAP system but overlook that it sits on a Unix server that's vulnerable to an attack from a virus," MacWillson warns.

Another weak link is the easy accessibility to data within companies. Businesses focus so much of their security efforts on the network perimeter that they tend to overlook what's going on inside the firewalls, says Doug Jacobson, director of the Information Assurance Center at Iowa State University, which operates a lab where companies can test their security processes.

Protecting hundreds or thousands of laptops used by on-the-go workers is another action item. Security is pretty tight when a laptop is docked on the corporate network, but security goes out the door-literally-when employees do. "Most databases have security mechanisms--such as encryption, IDs and passwords, logging--but the moment the data is outside the network, you've lost control," says E-Trade's Levine. "We as an industry haven't done our homework on maintaining the lock on data."

What can companies do about all those mobile devices? For one thing, make sure their software patches are up to date. Microsoft, for example, touts the improved security in Windows XP, but that works only if transient machines have the latest upgrades. Other best practices include hard-to-crack passwords and VPN connections. Another obvious but sometimes overlooked measure: Don't leave untethered computers where thieves can grab them.

Business technologists should also consider implementing stronger online authentication and automating the process of analyzing logs and audit trails used to determine who has access to critical systems. BMO Financial Group is going that route, security manager Khindria says. A related tactic is to conduct regular network scans and penetration tests. E-Trade uses security software from Skybox Security Inc. to analyze known and potential vulnerabilities to network attacks, not just from the outside but from inside as well.

Businesses need to be brutally honest about how they're doing. MonsterCommerce Inc., which provides shopping-cart software for 5,000 online merchants, conducts quarterly code reviews to make sure there are no holes in its software, CTO Jen Heil says. It conducts semiannual audits and penetration tests, performed by third-party companies, a critical element of any security program.

There's no shortage of benchmarks to help evaluate your security. One is the International Standards Organization's 17799. It's a clunker of a name, but it lays out a list of best practices, including business-continuity planning, system-access controls, physical and environmental security, and protection and confidentiality of information. An even more comprehensive certification standard, ISO 27001, which lays out requirements for an information-security-management system, is due later this year.

Another benchmark is the British Standards Institution's BS7799. And as of June 30, most companies that work with a credit-card company-like CardSystems, the one that exposed as many as 40 million cards--must meet a set of requirements called the Payment Card Industry Data Security standard.Back at AAA Reading-Berks, the organization has engaged business-software vendor Campana Systems Inc. to redesign its programs for compliance with Payment Card Industry and other standards, Wallace says. The club plans on encrypting data for the first time, segregating its network for members, and providing certain information only on a need-to-know basis.

Some security-oriented changes may involve reworking entire business practices. ChoicePoint Inc., which got into trouble by revealing consumer information to identity thieves, responded by restricting the type of data it sells and to whom.

The lesson for other companies is to clean up their act or pay the price. Gartner analyst Avivah Litan says a Specter-Leahy bill would put "CEOs on the hot seat." Is anyone else feeling a little warm?