Today, executives are faced with a serious challenge in determining how to manage the risks they cannot see. Data security is threatened from many angles. First, the threat of intentional theft is higher, perpetrated by either the disgruntled employee with easy access to sensitive customer information, or the sophisticated hacker community developing advanced phishing kits to trap consumers into sharing identification details. Second, inadvertent breaches can occur because of weak IT and data security systems and controls-either inside the organization or within a company's business partner with which it shares critical data.
There is no one solution for this growing problem. But establishing a strategic plan through the development of a risk assessment analysis and roadmap can help identify threats and mitigate the risks that threaten an organization's success. To manage the risk to one's organization in today's environment, companies must employ a practical approach that takes into account the people, process and technological risks to their business.
The following is a strategic risk framework that can provide organizations guidance on the development of a holistic, multi-layered approach to protecting data and consumers' identities. The key strategies to accomplishing this are:
Strategy No. 1: Attain executive sponsorship and support
Incorporate a data loss prevention program that business executives can understand and support. By implementing a robust, business-driven and scalable anti-fraud strategy that employs a multidimensional approach to detecting suspicious patterns and behaviors, organizations can gain control over sensitive data, reduce the cost of breaches and develop a greater visibility into how data are utilized throughout the organization. The strategy should involve senior management and general counsel and be part of the organization's ingrained security culture. Leaders should promote the strategy through consistent procedures and processes throughout the organization.
Strategy No. 2: Assess the risks
Perform periodic risk assessments to identify vulnerabilities and measure the risk. The risk assessment measures the likelihood of a data security breach within the organization, while identifying areas of concern in the business and documentation to help estimate the success of the program.
Strategy No. 3: Align identified risks to strategic objectives
Create a program based on a holistic approach that views data management and security as an ongoing concern in the organization from the perspective of the business, technology and people. Dealing with these risks requires decision-making capabilities based on open lines of communication and an organization-wide view of the business. The approach should employ a user-friendly and flexible platform that fulfills the requirements of regulatory bodies and provides a foundation for swift and coordinated responses to breaches.
Strategy No. 4: Predictive risk analytics automation
Whenever possible, utilize automation for predictive behavioral and pattern-based analysis to identify and contain fraud more quickly and accurately, while managing the investigation and documentation process more efficiently.
Strategy No. 5: Know your business partners
As the need increases to share data outside your company's boundaries and beyond the scope of its IT control, ensure that your business partners take data security as seriously as you do and require the same level of data protection. Executives must be sure that strategic partners and vendor teams share the same priorities such as addressing the issues of fraud and information leakage, as well as compliance regulation.
Organizations with effective business, process and technology risk mitigation strategies can better safeguard customer data from phishing, fraud and identity theft. As a result, they will be better able to maintain the trust of their customers and be regarded as reputable institutions with which to do business.
Sidney is a Certified Information Systems Security Professional (CISSP), an ISO 27001 Information Security Management Auditor, and is National Security Agency (NSA) INFOSEC Assessment Methodology (IAM)-certified. He can be reached at Sidney.Pearl@unisys.com.