Data Security Should Be in Everyone's Job Description
In the research, 68 percent of CISOs and IT leaders said their senior corporate executives did not perceive cyber-security as a priority. Fewer than half (47 percent) believe their organizations have sufficient resources to meet their cyber-security requirements.
"The most surprising finding was the slow progress companies are making, even now," Ponemon says. "A lot of companies are slow-moving on cyber-security and ensuring that their data is handled properly."
In a similar report released in the fall, Forrester Research noted that outside of banking and national defense, many industries are "woefully immature" when it comes to making the necessary investments in data breach protection, detection, and response.
This prompted Forrester to conclude that most enterprises will not be able to respond to a data breach without undermining their customers' trust or dragging their own corporate reputations through the mud.
And once they're in that kind of mud, it's very hard for companies to dig themselves out. "The biggest commodity a business loses in a breach is the trust of its customers, and that is very hard for them to win back," Velasquez says. "If you can't be trusted to be a good steward of my information, I'm simply going to stop spending money with you."
A recent Deloitte survey backs this up. According to the research, 59 percent of consumers said that a single data breach would negatively impact their likelihood of buying products from a company. Conversely, eight in 10 said they would be more likely to buy from companies that they believe are taking adequate steps to protect their personal information.
Tied into the issue of trust, Velasquez suggests that companies should be forthcoming with customers as quickly as possible after potential data breaches. It's far better, from an image standpoint, for customers to hear the bad news directly from the company than for the breach to be exposed by third-party watchdogs or government regulators, she says.
Then companies need to have an incident response and crisis management plan in place. Efficient response to the breach and containment of the damage has been shown to reduce the cost of breaches significantly and goes a long way toward reassuring customers who might have been thrown into a panic.
Better still, companies need to prevent data breaches from ever happening in the first place. That is the clear mandate from customers, privacy advocates, and industry experts.
"Protecting customer information is the most important thing for companies today," says Bob Siegel, founder and CEO of Privacy Ref, a Boynton Beach, FL-based provider of privacy consulting services.
The first step toward that goal is having a high-level company executive who is responsible for data security. Ideally, this should be someone with a CISO title.
Also key to addressing information security is first understanding what customer information is stored in company databases. "Do a data inventory and determine what data is sensitive," Ponemon says. "Then segment out the sensitive and nonsensitive data."
"Systematically purge the data that you no longer need," Loeser adds. "Hackers can't steal data that you don't have."
But even after doing that, companies will still have a lot of data about their customers, and that is not likely to change. All that data has to be protected, which isn't easy, given all of the vulnerabilities.
Data security can be complicated, but it's not impossible, and there are even a number of low-cost measures that companies can take to reasonably protect their customer data.
A PUSH FOR PCI COMPLIANCE
"PCI compliance is a good starting point," Ponemon advises.
The Payment Card Industry Data Security Standards (PCI-DSS) are a multifaceted set of security protocols that include guidelines for building and maintaining secure data networks, protecting cardholder data, controlling access to the data, monitoring and testing networks, and ensuring that information security policies are maintained and enforced.
Among the standards, PCI recommends that companies first take an inventory of all of their IT assets and business processes and analyze them for vulnerabilities that could expose cardholder data. The next step, of course, would be to fix those vulnerabilities.
"There are dozens of companies that you can hire to find those vulnerabilities," Loeser says.
In fact, a whole industry has cropped up around just that need. The term "white hat" refers to an ethical computer hacker or computer security expert who specializes in data systems penetration testing and exposing weaknesses in organizations' information systems.
Some companies might try to do these assessments on their own, but Siegel and other experts advise against this. "It's best to have an outside, third party come in and do [the security assessment]," Siegel says, "because he's not looking at anything with rose-colored glasses."
This assessment, Siegel suggests, should be performed at least once a year.
"And it should look at how the company's [data security] program is meeting industry best practices, government regulations, and the company's business objectives," he adds.
Additionally, the PCI standards require that companies encrypt cardholder data being transmitted across open, public networks, and never send payment card information over an unencrypted medium, such as chat, text messaging, or email. Encryption, though not foolproof, can be very effective. Loeser calls it "the touchstone of any reasonable approach to protecting personal information." Encryption, he adds, "creates a substantial roadblock, especially for the low-level hacker."