Shilpi Dey - Product Marketing Manager
It arrived in a non-descript envelope, similar to the ones promising exciting credit card offers. I would have tossed it in the recycling bin without opening, except that it was from one of the banks (let’s call it bank “B”) where I had an account, and something made me pause and break open the seal. The letter inside explained that some CDs and tapes containing some of my personal information were lost while being transported to an off-site storage facility. The letter reassured me that security is Bank B’s top priority; however, their archive services vendor had notified them that they could not account for one of several boxes of tapes and CDs being transported to their off-site storage facility. The missing media contained some personal information such as name, address, Social Security number and/or shareowner account information. I was especially relieved that though Bank B had not yet determined the “nature and scope” of the incident from their forensic investigation, they had “no reason to believe any of my information was improperly accessed or misused as a result of the incident”.
This incident left me rattled. The fact that I had to rush out and get credit monitoring services that Bank B kindly provided, or that they did not believe any information was “improperly accessed” was a small consolation. My fear and exasperation soon turned to irritation with Bank B. After all, it was Bank B’s duty to protect its employees, customers, investors, and of course, itself! Needless to say, many customers proceeded to sue Bank B. So not only did Bank B’s reputation suffer, but it may also affect Bank B’s bottom line in order to rectify this situation.
So what went wrong? How does a reputed investment bank make a silly blunder like this that costs them millions? With all due respect, Bank B, the answer is simple – it was your security strategy (or lack of thereof). So many enterprises today tend to scramble after an event such as this one, to piecemeal a security policy together. Alternatively, if they do have a security policy in place, the next hurdle they face is what is the strategy to implement this policy?
The key (pun intended) to a comprehensive security strategy, and one that will work in the real world, is to identify where data within an organization is at risk. Once areas of risk are identified, a good security strategy would mitigate the risk of data loss by protecting and managing this data. Without doubt, the most secure way to protect data is to encrypt it. Encryption ensures only authorized users have access to data. Additionally, a good management solution, would automatically enforce policies, provide capabilities such as user and key management, and provide a means to demonstrate compliance to data privacy laws and regulations.
Even the smallest data breach can cost an organization. Organizations need to ensure that they identify data at risk, and position a risk mitigation strategy to avoid the consequences of a data breach. Unfortunately, until and unless enterprises start taking this holistic approach to security, stories such as Bank B’s will continue to make headlines, violate regulations, affect consumers, and hurt the bottom line.