Intelligent businesses walk the security journey every day, whether management models security-smart behavior in the office or IT stays abreast of the latest technology developments. But for newcomers those first steps can feel like major leaps, especially if it involves getting coworkers, employees and executive management on the path.
Discussion prompts action, and I’ve found over my years in corporate management and data security that these four simple questions can often get the ball rolling:
1. When it comes to the protection of your confidential company information—the information entrusted to you by your customers, clients and employees—do you have it right? What about other sensitive company information regarding financial, strategic, intellectual property and other sensitive data?
Having it right isn’t as easy as it sounds. There are administrative, operational and systemic considerations. Is the information really protected as it is collected and/or acquired; as it is transmitted; as it is used; and as it is stored? And is it handled with a sense of importance by your employees with an understanding of the threats, vulnerabilities, and consequences of loss, as well? That is to say, are there outlined policies and procedures for the collection, retention, use and disposal of that information that is accompanied by appropriate awareness communications, training and management reinforcement?
2. Are you confident that you, your management team, and your IT shop understands the complexities and interrelationships of the legal, regulatory, operational, and systemic data risk management protection requirements for sensitive material?
Questions of legality and compliance compound if your business handles Personally Identifiable Information (PII), Protected Health Information (PHI), Payment Card Industry Data (PCI) or other sensitive and classified data. An important follow-up question is, Has your team responded to threats against these kinds of data with appropriate protection measures?
3. If your company’s financial system or bank access credentials were compromised and funds were stolen from your accounts, would your bank immediately repay those funds? Would the loss be covered by the current insurance that you have in effect?
These answers might not be as straightforward as you think. Bank policies and insurance policies vary greatly when it comes to commercial financial fraud and data breach.
4. If your company’s confidential information was compromised by a data breach tomorrow, would you know what to do? Do you have the appropriate plans and resources in place to respond effectively? If so, has this plan be vetted and tested?
Prevention and response, ultimately, is the name of this game. By looking hard at these four questions you’ll be able to realistically gauge where you are—and where you need to go—on the journey that is sound data security.
With more than 30 years of experience in risk management, security, loss management and compliance within financial institutions, Brian has held senior positions at Wachovia Corp. and Citigroup. He served as board chairman of the Financial Services Roundtable/BITS Identity Theft Assistance Center.