Thanks to the great people at SC Magazine for publishing this piece of mine.
(http://www.scmagazineus.com/The-privacy-security-advantage/article/130470/)
Here is the longer unabriged version:
Using privacy & security as a competitive advantage
There is an old axiom in marketing circles that it costs significantly more money to acquire new customers than to retain and service your old ones. Since the business environment has slowed for now, showing additional ‘value added’ services rather than simply a lower price, for example, is critical for many companies higher up the value-chain that provide are providing a service. Clients should particularly value a competent privacy and security program implemented at its service providers since it will not ‘cost’ them anymore than they already pay for an expectation that their data/info is safe and secure.
Any company who has customers to be accountable to doing business during these days of dire financial times, should be required to look good and hard at what additional they can bring to its customers - besides the primary product or service it already provides. In addition to being a great marketing and selling opportunity, this introspective look for security and privacy ‘value’ can give companies a chance to leverage what they uncover as a differentiating factor – a competitive advantage.
A company with a solid, mature security and privacy program will be well advised to make this fact known to both its marketing and sales teams, and its customers. Privacy and security competence matters more than ever in this precarious financial environment. Rather than ‘distraction’ of making money hand over fist, the focus for many companies is now on keeping the existing customers satisfied, rather than only worrying about adding new ones to the fold.
How can an organization best position their privacy and security programs and oversight to be used as a competitive advantage? First, of course, you need to ensure that your privacy and security program is robust, well-tested, formally documented and meets or exceeds whatever legislation that your company is subject to or regulated against (Gramm-Leach-Bliley, HIPAA, etc). Aligning your programs against a standard like NIST or ISO 27001 is an excellent way to ensure that your programs minimally meet a design framework that is accepted and understood by your market or vertical.
It is critical to give your customers a point of reference about the validity of your programs so they easily translate the value into a currency they recognize. If your clients are banking institutions, for instance, it makes a lot of sense to develop your privacy and security programs around the Federal Financial Institutions Examination Council (FFIEC) standards since most banks, thrifts, savings & loan institutions and credit unions are regulated by entities that make up the FFIEC (OCC, OTS, FRB, FDIC, & NCUA). Doing this will make it easier for your banking clients to get their auditors or regulating agencies comfortable with using your firm as a service provider. Helping them successful navigate audits makes you a valuable partner. Your customers will really begin to derive value from well-designed and real-world tested programs when they realize that they can lessen their due diligence and oversight of your firm due to the extensive testing and thoroughness of your own internal activities.
Companies doing business in the US, especially in the financial and health care sectors, are already exposed to a litany of legislation, mandates and guidance that they are regulated and tested against quarter after quarter, year after year. Companies can realistically expect such federal and state legislation to only stricter, more onerous and more invasive. Most companies already either perform or have a 3rd party perform some kind of internal and/or external assessment. These activities could be everything from simple perimeter vulnerability scans to intrusive penetration tests on web-facing applications. If you have having these done, you should leverage the results (properly scrubbed of any confidential or proprietary information like IP addresses, of course) and provide your clients Executive summary-type versions of the reports to show that not only are you constantly evaluating the viability of your network, but you are having an independent third-party doing it for you. You should also take advantage of any other internal and external audits, assessments and oversights that you can reasonably share with external parties by crafting these documents, or summaries of them as a consumable for external parties. It has been my experience that clients, especially their security teams, really appreciate this effort.
Any attestation, especially an independent one, that your controls are in place and functioning properly gives clients and sense of comfort, and may even relieve them of either significantly overseeing you as a service provider – saving them time and money, or may at least minimize the intrusions of each and every client and their auditors tramping through your shop.
Another innovative way to deliver a competitive advantage today is in the realm of vendor management. This discipline is quickly becoming an increasingly high profile topic of discussion and interest between clients, customers and their service providers. The onus is on you to demonstrate oversight of your 3rd party service provider(s); you need to show especially robust oversight controls if the 3rd parties are perceived to be of higher risk, such as an overseas provider. If you are outsourcing some of the work your clients have turned over to you, those clients may ask “Why am I outsourcing to you if you in turn outsource?” Here is where you point out your management and oversight of the vendors and how you assume full accountability for the controls in place, as well as the robustness of those controls. This is where you also have the “value add” conversation and demonstrate why your clients placed their trust in you in the first place; it is a key selling point for your company to use to distinguish itself from competitors. This will resonate especially soundly with any clients that provide you access to or control over their sensitive customer data, proprietary or intellectual property.
Lastly, a final easy way to show privacy and security competence over competitors is in the area of oversight of employees and their access controls. This long-neglected, decidedly un-sexy discipline is now, like vendor management, starting to get the attention it deserves. Most studies of risk show that internal employees who already have access to the company network pose the biggest threat – the malicious insider. One of the best ways to show oversight and mitigation of this risk is with regular entitlement reviews. Nothing may prevent a trusted employee from one day going ‘rogue’ of course, but habitual review of appropriate access will minimize damage from people who no longer have a ‘need to know’ access to the critical and sensitive applications and data that may represent the lifeblood of your company.
Still need justification for your programs? The benefits of a competent privacy and security program are myriad and are more visible and tangible than ever. Don’t just analyze what it costs to administer your programs (FTE’s, software, etc) or even what the ROI may be (if you can even calculate it). The hard and soft costs associated with damage to a brand or reputation due to a breach or compromise maybe incalculable, and may make it very difficult or impossible to woo back former clients who left due to the breach, or worse, woo new clients into the fold. How’s that for justification?
Thursday, April 16, 2009
Wednesday, March 4, 2009
Identity Theft Tops FTC Complaint List.... Again
IN A PERFECT WORLD when someone attempted to use data that is not theirs, the hurdles and roadblocks to successful authentication would prevent the illegal use of that data. It would be like finding a key, but not having the matching lock to use it with - what good would having the key do you then?
The FTC recently noted that identity theft was the biggest consumer complaint again for data collected in 2007...no surprise there. What was interesting in the data was that although credit card fraud was top of the list in terms of percentages (23%) - as well as the usual suspects (loan fraud) - the surprising info for me was the significance of other fraud: phone or utilities fraud (18%), employment fraud (14%) and government documents / benefits fraud (11%).
IN THE REAL WORLD this data tells me that fraudsters are either setting themselves up for more sophisticated identity theft schemes by further compromising a stolen person's identity, or, ordinary people who do not have some basic resources and coverages are misrepresenting their identity to get a job, a health claim paid, or to get cable or phone service. Some of it is due to outright fraud, obviously, but I suspect a lot of it is due to the fact that some people either have no credit or lousy credit and cannot get some service or job on the merit of their own credit history and have taken the low road to use someone else's good credit history. Either way, it still is a warning signal to us that our personal data is still subject to compromise and misuse in so many ways that may be not as evident as receiving your monthly Visa card bill showing a new flat panel TV just purchased from Best Buy (that you didn't buy).
Studies of identity theft show that the perpetrators of this crime are typically people who are known to the victim (friend, family, tenant), as well as by people who have physical access to the data. Rare is the cliched situation where the hacker, wearing a skimask and 5-day stubble, intercepts your data via an online transaction. As security guru Bruce Schneier has said, making the data hard to get is not as practical an approach as making stolen data hard to use.
What do you think?
The FTC recently noted that identity theft was the biggest consumer complaint again for data collected in 2007...no surprise there. What was interesting in the data was that although credit card fraud was top of the list in terms of percentages (23%) - as well as the usual suspects (loan fraud) - the surprising info for me was the significance of other fraud: phone or utilities fraud (18%), employment fraud (14%) and government documents / benefits fraud (11%).
IN THE REAL WORLD this data tells me that fraudsters are either setting themselves up for more sophisticated identity theft schemes by further compromising a stolen person's identity, or, ordinary people who do not have some basic resources and coverages are misrepresenting their identity to get a job, a health claim paid, or to get cable or phone service. Some of it is due to outright fraud, obviously, but I suspect a lot of it is due to the fact that some people either have no credit or lousy credit and cannot get some service or job on the merit of their own credit history and have taken the low road to use someone else's good credit history. Either way, it still is a warning signal to us that our personal data is still subject to compromise and misuse in so many ways that may be not as evident as receiving your monthly Visa card bill showing a new flat panel TV just purchased from Best Buy (that you didn't buy).
Studies of identity theft show that the perpetrators of this crime are typically people who are known to the victim (friend, family, tenant), as well as by people who have physical access to the data. Rare is the cliched situation where the hacker, wearing a skimask and 5-day stubble, intercepts your data via an online transaction. As security guru Bruce Schneier has said, making the data hard to get is not as practical an approach as making stolen data hard to use.
What do you think?
Monday, February 23, 2009
How safe is your financial data? Do you ask?
IN A PERFECT WORLD when you hand over your sensitive data to a company or person that you are enacting a financial transaction with, you are almost unconsciously believing that the information will be secured in every way. How often do you question the recipient of your data on how it will be protected?! We are getting more privacy savvy as consumers but when someone at a doctor's office or big box store asks for our social security number to complete a transaction, people generally deliver the number. When and if the company that has your data either moves locations or worse, goes out of business, you don't ever think about what they are doing with your data. You just think that is it securely destroyed and that's the end of it.
IN THE REAL WORLD what usually happens is that your financial information when received is simply put in a computer, or a hardcopy file. Sometimes it is secured, most times it is not - especially if the company is a small one. The article from the New York Times below got me thinking about some war stories that I have heard being in the Mortgage industry. I remember someone recently told me that a small mortgage broker in their town suddenly went out of business one day and all they did with their piles of mortgage applications was to put them in boxes and then out on the curb to be picked up by the trash men that week. It was a particularly blustery week in that town and 1003 mortgage applications (the crown jewels of your financial life) were blowing all down the street for anyone to see or pickup. Manna from heaven for identity theives or n'er do-wells...
Next time you are asked to hand over data you consider personal or sensitive, ask the recipient "Before I give your this info, how do you protect and secure it?" If they look at you like your speaking Ukrainian (and you are not in Kiev), you should consider taking your business elsewhere. There has to be consequences for such negligence.
How Safe is Your Financial Data?
http://www.nytimes.com/2009/02/15/realestate/15mort.html?_r=1&scp=1&sq=how%20safe%20is%20your%20financial%20data?&st=cse
IN THE REAL WORLD what usually happens is that your financial information when received is simply put in a computer, or a hardcopy file. Sometimes it is secured, most times it is not - especially if the company is a small one. The article from the New York Times below got me thinking about some war stories that I have heard being in the Mortgage industry. I remember someone recently told me that a small mortgage broker in their town suddenly went out of business one day and all they did with their piles of mortgage applications was to put them in boxes and then out on the curb to be picked up by the trash men that week. It was a particularly blustery week in that town and 1003 mortgage applications (the crown jewels of your financial life) were blowing all down the street for anyone to see or pickup. Manna from heaven for identity theives or n'er do-wells...
Next time you are asked to hand over data you consider personal or sensitive, ask the recipient "Before I give your this info, how do you protect and secure it?" If they look at you like your speaking Ukrainian (and you are not in Kiev), you should consider taking your business elsewhere. There has to be consequences for such negligence.
How Safe is Your Financial Data?
http://www.nytimes.com/2009/02/15/realestate/15mort.html?_r=1&scp=1&sq=how%20safe%20is%20your%20financial%20data?&st=cse
Subscribe to:
Posts (Atom)