Regulations such as the Health Insurance Portability and Accountability Act for medical data, Sarbanes-Oxley for financial data and the Payment Card Industry standard for credit card data continue to move executives to action. The threats of fines and jail time tend to do that. For example, 44 percent of respondents say they test their organization for compliance with whatever laws and industry regulations apply, up from 40 percent last year; 43 percent say they monitor user compliance with security policy, a healthy increase from last year's 37 percent. Assessing internal risks to compliance is something 55 percent are doing, up from 49 percent.
But let's not pass around attaboys too quickly. Note that even with such positive steps, those numbers are far from 100 percent. Many organizations aren't doing much beyond checking off the items spelled out in regulations-and basic safeguards are being ignored, says Karen Worstell, a managing principal at the consulting firm W Risk Group, former chief information security officer at Microsoft, and former CISO and VP of IT risk management at AT&T.
Adhering to regulations and standards doesn't amount to thorough security policy, Worstell says, for many reasons. For one, organizations can sometimes pass compliance audits simply by writing up policies, without demonstrating how they adhere to them. Other times, the standard or regulation may have holes.
PCI, for example, mandates that a firewall be installed to protect cardholder data. But Worstell says the standard doesn't address whether a company has processes to ensure that once a piece of technology is installed, it's regularly upgraded or monitored to see how effective it is. "If security stops at PCI, that's not enough," she says. Hannaford Supermarkets experienced the theft of customer credit and debit card data from December 2007 to last March, a period when the grocery chain was certified compliant with PCI, "the highest security standards required by the credit card industry," the company says.
Neither is it enough if security monitoring stops within your own four walls. But that's exactly what's happening. A dirty secret uncovered in this year's poll reveals that companies don't know, and apparently don't care to know, what happens to their data once they hand it to another company. Get ready to be disturbed.
Outsourced Out of Sight, Security Out of Mind
Here's one of the most worrisome of our findings this year: A skimpy 22 percent of respondents keep an inventory of all the outside companies that use their data.
If that isn't enough to make you wince, we've got more. Just 37 percent of our survey respondents require third parties handling the personal data of customers or employees to comply with their privacy policies. Even fewer-28 percent-perform due diligence of those third parties to understand how or whether they safeguard information. Yet 75 percent of respondents profess at least some level of confidence in the effectiveness of their partners' security. Isn't that rosy?
Yet due diligence on any outsiders that handle your data is more important than ever as companies parcel out corporate work of all sorts to third parties, says Tom Bowers, managing director of Security Constructs, an industry analysis firm specializing in trade-secret protection technologies. In that respect, pharmaceutical companies can teach other industry verticals a great deal, he says.
Bowers was senior manager of global information security operations at Wyeth Pharmaceuticals for seven years before starting Security Constructs. Bowers's security group subjected potential Wyeth business partners to detailed scrutiny of their security practices. He had to. "We were responsible for protecting intellectual property no matter where it sat. Here or with an outsourced clinical trials company in Dublin. Wherever."
Ken Harris, CIO at Shaklee, says every company should make sure its outsourcers have the same security as its own-or better. "You vet the security and disaster recovery of your outsource providers in the same way you would vet your own operation," he says, adding, "It does take time and resources."
Companies skip this security check, though, because it's expensive and time-consuming, says PwC's Lobel. Checking out a partner's security and privacy practices would take at least one full-time employee at least two days for the smallest company, he estimates. "A large company may have literally thousands of partners," he says.