Customer confidence and trust are vital to an organization's business initiatives and long-term market viability. Businesses have a responsibility to their customers to protect confidential customer information. Through the development of a strategic risk road map, businesses can better manage and plan for upcoming identity and data theft risks. Knowledge Center contributor Sidney L. Pearl offers steps businesses can take to protect sensitive consumer data and identities.
today's global economic climate, consumers are wary of businesses'
ability to not only secure their operations, but also the sensitive
consumer information that passes through their systems. Consumers are
seriously concerned about the misuse of personal information. This
reflects a grim reality for organizations; data and identity theft can
no longer be considered simply as an acceptable risk of doing business.
If organizations do not take the right steps to address the risks
associated with vulnerable people, processes and technology, they face
the hazard of losing a critical component for business success:
Today, executives are faced with a serious challenge in determining
how to manage the risks they cannot see. Data security is threatened
from many angles. First, the threat of intentional theft is higher,
perpetrated by either the disgruntled employee with easy access to
sensitive customer information, or the sophisticated hacker community
developing advanced phishing kits to trap consumers into sharing
identification details. Second, inadvertent breaches can occur because
of weak IT and data security systems and controls-either inside the
organization or within a company's business partner with which it
shares critical data.
There is no one solution for this growing problem. But establishing
a strategic plan through the development of a risk assessment analysis
and roadmap can help identify threats and mitigate the risks that
threaten an organization's success. To manage the risk to one's
organization in today's environment, companies must employ a practical
approach that takes into account the people, process and technological
risks to their business.
The following is a strategic risk framework that can provide
organizations guidance on the development of a holistic, multi-layered
approach to protecting data and consumers' identities. The key
strategies to accomplishing this are:
Strategy No. 1: Attain executive sponsorship and support
Incorporate a data loss prevention program that business executives
can understand and support. By implementing a robust, business-driven
and scalable anti-fraud strategy that employs a multidimensional
approach to detecting suspicious patterns and behaviors, organizations
can gain control over sensitive data, reduce the cost of breaches and
develop a greater visibility into how data are utilized throughout
the organization. The strategy should involve senior management and
general counsel and be part of the organization's ingrained security
culture. Leaders should promote the strategy through consistent
procedures and processes throughout the organization.
Strategy No. 2: Assess the risks
Perform periodic risk assessments to identify vulnerabilities and
measure the risk. The risk assessment measures the likelihood of a data
security breach within the organization, while identifying areas of
concern in the business and documentation to help estimate the success
of the program.
Strategy No. 3: Align identified risks to strategic objectives
Create a program based on a holistic approach that views data
management and security as an ongoing concern in the organization from
the perspective of the business, technology and people. Dealing with
these risks requires decision-making capabilities based on open lines
of communication and an organization-wide view of the business. The
approach should employ a user-friendly and flexible platform that
fulfills the requirements of regulatory bodies and provides a
foundation for swift and coordinated responses to breaches.
Strategy No. 4: Predictive risk analytics automation
Whenever possible, utilize automation for predictive behavioral and
pattern-based analysis to identify and contain fraud more quickly and
accurately, while managing the investigation and documentation process
Strategy No. 5: Know your business partners
As the need increases to share data outside your company's
boundaries and beyond the scope of its IT control, ensure that your
business partners take data security as seriously as you do and require
the same level of data protection. Executives must be sure that
strategic partners and vendor teams share the same priorities such as
addressing the issues of fraud and information leakage, as well as
Organizations with effective business, process and technology risk
mitigation strategies can better safeguard customer data from phishing,
fraud and identity theft. As a result, they will be better able to
maintain the trust of their customers and be regarded as reputable
institutions with which to do business.
Sidney L. Pearl is director of the Enterprise Security Solutions Management group for Unisys'
Global Financial Services business. Sidney's group has worldwide
responsibility for defining and managing the company's fraud, risk
management and enterprise security services offerings for the financial
Sidney is a Certified Information Systems Security Professional
(CISSP), an ISO 27001 Information Security Management Auditor, and is
National Security Agency (NSA) INFOSEC Assessment Methodology
(IAM)-certified. He can be reached at Sidney.Pearl@unisys.com.