continued from page 5

The failure to protect confidential information not only can damage a company’s reputation in the public sphere but also can open it up to litigation. When the security breach at the credit card processor became public, lawsuits accusing the company of negligence and seeking class action status were quickly filed.(38)

In addition, businesses that rely on outside information technology (IT) suppliers need to recognize that while data services, such as transaction processing, billing, and collecting, may be contracted to outside vendors, companies cannot outsource the responsibility for protecting confidential data. Critical data becomes especially vulnerable when it moves outside of a company and beyond the borders of the company’s own security and risk management procedures. Businesses can still face substantial fines, lawsuits, damaged reputations, and a loss of consumer and investor confidence if a breach at an outside IT service provider exposes confidential data.

Making Data Security a Priority
For most of the four decades since businesses began moving to computerized operations, securing systems and networks was treated as one of many issues for the information technology staffs and not as a concern for top management. That approach made sense when security concerns were focused on keeping out teenaged hackers, but the threat level has since escalated sharply with the entry of organized gangs into computer crime.

Now, a failure to adequately secure a company’s network and personal and proprietary data can jeopardize the future of the entire organization. Because the threats are continually evolving, security is an issue that needs to be kept on the front burner. The survival of the business may depend on management’s
focus on keeping personal and proprietary data confidential.

Assess and Prioritize Vulnerabilities
The first task for any organization in assessing its vulnerabilities and potential risks is to catalogue the kind of data that it collects and stores. That information should then be prioritized by its value and the potential risks its loss or theft would pose.

For example, companies that collect and process confidential consumer data, such as credit card accounts, need to take into account the legal and reputational exposures they face should that information be exposed through security lapses or theft from them or a contractor. Businesses need to be careful not only with the confidential client and consumer information but also with personnel information. All companies keep records such as Social Security numbers that can be misused if not properly guarded.

Evaluate Security for Intellectual Property
Companies should evaluate how they secure their own intellectual property. Businesses that depend on keeping intellectual property secret need to assess the potential risk in exposing that material to third parties, including the risk of outsourcing work involving proprietary material to countries without a strong record of intellectual-property protection.

Once a company has inventoried its data and intellectual property, it should set out clear procedures and policies for handling that data and for keeping confidential information private. Businesses should implement widely recognized standards for data-management security, such as ISO standards, and make sure that third-party technology contractors comply with such standards as well. The security procedures should cover everything from the mainframe to the laptop.

Enforce In-House Security
As part of a concerted focus on security, companies need to enforce their in-house security measures. That effort should be driven by top management and its importance continually stressed to employees. Companies should educate employees as to proper procedures for handling proprietary information.

Along with establishing and communicating security standards to employees, companies should make a concerted effort to examine data security at every stage of the information lifecycle, from collection through storage and transmission. Criminals seek to attack corporate security at the weak points, so companies need to make a thorough assessment of their vulnerabilities at every point in the process.

Create Security Audit Checklists
To keep track of their data-security programs and to ensure that they are up-to-date, companies should devise audit checklists to periodically evaluate and test their data security. Along with scheduled evaluations, companies should regularly update their procedures to take into account both new risks and new technologies.

Extend Security Beyond Technology to Employees
While making sure that their networks and their security procedures are strong enough, companies should not limit their measures to technology but should also take into consideration the human element. Employees remain a major source of breaches, through both inadvertent mistakes and willful misconduct.

continued on next page>>
1|2|3|4|5|6|7|8