Gerhard Lindenmayer recently decided that the time had come to completely overhaul his company's data security process.
The growing number of customer data breaches made it clear to Lindenmayer, CIO of telemarketer DialAmerica, that he needed to establish a better method of protecting his clients' data-especially in the case of sharing information with third parties. "Until five years ago we didn't even have any security on the doors," Lindenmayer says. "But we've gone through some awakening years and now we've turned it around completely."
DialAmerica isn't alone in facing this growing threat. More than ever customers' personal and private data is being shared between organizations-particularly in such industries as financial services, healthcare, and insurance that house large amounts of sensitive customer information-thus increasing the risk of data security breaches.
Prat Moghe, chief technology officer and founder of Tizor, a provider of data protection solutions, says one of the biggest challenges for these enterprises is that they have suddenly been forced by law to share customer data with partners and aren't prepared internally. Such circumstances have placed them at risk for breaches. "They don't know how much data they have or where it is," Moghe says. "We have companies that have said, 'We have social security numbers, but we don't know where they are; we don't know where the data is sitting, let alone who is accessing it, or when it's being accessed.'"
Arabella Hallawell, research vice president of Gartner's security and privacy organization, says companies that deal with a large number of third parties face this challenge because often they are unaware of the transfers happening and don't have the power to enforce security procedures on the third party. "If it's a partner, you can't necessarily dictate the security practices that you want to see because you may be totally dependent on a business partner to provide certain functions," Hallawell says. "It's a lot easier to control security when a third party is coming into your organization because you can dictate adequate controls."
Hallawell says future legislation should start driving change, but until that happens, she recommends three steps to take when sharing data with partners: define the contract terms for security, require the third party to provide an audit, and limit how widely certain types of information are distributed.
DialAmerica's approach is to lead its partner companies in establishing data security best practices. Lindenmayer says the organization is even more secure now than its bank clients. Even so, its data security process continues to evolve.
A cornerstone of the process is an in-depth employee information security policy, created in 2001. CEO Art Conway met every day for weeks with small groups of the company's 300 employees to walk through the policy. "It's important that they know what's expected of them and what they need to do," Lindenmayer says. "They were also personally handed a copy of the [security policy] book." In addition, employees were tested to determine if they read the manuals. The company also decided who could access customer data, established controls, and determined how to dispose of data.
A cross-functional team, led by an information security officer, continuously enforces and improves the security policy. It also meets regularly to inspect the enterprise in search of possible breaches. Lindenmayer says that as a result DialAmerica has never experienced a data breach. "When we run out of things that can be improved, we rotate and go through the process over and over," he says. "Security is an ongoing thing; it's something you have to do every day. Having a system that tells me that someone is hacking into my network doesn't do any good unless I monitor the log on a daily basis."
Lindenmayer says the company's information security officer controls the policies and a network security group reports to him. Another group, called Microsystems, oversees the servers and storage systems. In addition to establishing governance, DialAmerica underwent a "hardening" of systems in which all servers were updated and patched with antivirus definitions. On the network side, once a year the company conducts penetration testing on its firewalls,
in which a hired firm tries
to hack into DialAmerica's network. Afterward it scores the company on how well the network withstood the breach.
"We're pretty diligent about staying on top of the technology," Lindenmayer says. "It's a state of mind you have to be in. There's no one thing in particular you can do to keep your data safe. It has to be a layered approach-physical security, logical security, and network security, and one has to complement the other."