In early September, it was revealed that a large credit reporting company was successfully hacked by an entity unnamed as of this writing. It’s considered now one of the largest breaches in memory because this particular company held delicate information – social security numbers, names, home addresses, and more – of at least 143 million Americans.
There has already been much written and said about this hack, and understandably so. While data breaches are a prevalent problem these days, there are still best-practices to guard against this type of attack – and, steps that organizations should promptly take in the hours and days after a breach is detected or reported. It would be wise for enterprises to both take a close look at not only the details of this hack, but also to use this as an opportunity to review internal information security protocols and those of any third-party shared service providers.
Here are three lessons from one of the largest data security breaches in history.
1. It Matters Who Handles Your Enterprise Data
As a credit reporting agency, most of the individuals affected by this hack did not even sign up for the service – their information was likely provided to the breached organization by yet another company that was performing a routine credit check on the individual. Your enterprise will have more control over who gains access to your proprietary data than the individuals affected in this hack did. Therefore, it’s important to know what to look for.
Look for providers who offer a ‘defense-in-depth’, or layered approach to data security. This military-inspired approach provides successive layers of security measures to make life much harder for unauthorized users trying to access information or internal systems. With no shortage of potential targets for hackers to choose from, implementing successive layers of defense may be enough to discourage a hack, and push them on to their next target which may not be as time consuming or difficult to penetrate.
2. Look for a Partner Who Offers the Following:
There are also a few industry-standard security certificates that any third-party provider who will be handling your data should hold. These include ISO Certificates, SSAE16, PCI, and FISMA documentation.
Different industries require different types of security. For instance, a healthcare vendor will need to make sure a potential communications partner or enrollment platform provider is HIPAA compliant. For financial services, the parameters might differ, but they are no less stringent. Nearly every financial services provider and monetary institution is subject to the Gramm-Leach-Bliley Act – a strict code of laws on protecting private financial information. Further, the Dodd-Frank Wall Street Reform statutes, as well as the Consumer Protection Act, both set the standard for what is “reasonable and appropriate” for protecting user information. Firms in these industries must be especially careful in vendor selection.
A worthwhile vendor should be able to demonstrate that their own security protocols go beyond holding the above-described certificates, and comply to the sets of laws mentioned in the previous paragraph – demonstrating proficiencies in these areas is a solid indicator that a potential shared services partner has a thoughtfully-designed, best-practice security protocol in place.
What a provider does after a breach is detected is almost as telling as the steps they take to prevent one in the first place. Shared service partners who can provide a data breach response offering that is standardized, tested, and ready to be put into action should be given preference. Look for one who can offer notification, contact center, and project management services, all within a separately secure environment – so your enterprise will have a viable go-forward strategy for dealing with such an issue. These services can even be offered as a standalone service, for enterprises already in contract with providers who may not offer these crucial services.
3. Do Your Own Due Diligence
Don’t simply rely on the sales pitch of a potential shared services vendor – do your own research. What exactly should you be considering to vet a potential partner who will be helping you manage or leverage your proprietary data to gain insights, create communications, or process invoices? Here are some ways to help you narrow the scope and hone in on effective information:
- Know state and federal laws: While there is a growing body of law built around the protection of private information online – there is less codification in terms of what an enterprise must do after a breach. Disclosure laws vary state-to-state, and can be surprisingly lax. Therefore, it’s important to talk to potential providers about their own, internal protocols for breach notification and damage mitigation.
- Know what a good protection plan looks like – and ensure potential partners have these policies in place: Similar to the information security certificates discussed earlier in this article, federal laws around these issues provide only the most basic protections – worthwhile vendors will go much further – using a defense-in-depth approach, multi-key encryption, or any number of other intensive security measures.,
- Work to learn the provider’s past performance record in this area: Has this provider been hacked before? If so, how did they resolve the situation after the fact? Were clients quickly notified, and all necessary steps – even the ones that come at a direct cost to the provider – taken? While past performance is not always a reliable indicator of future performance, in the case of a data breach, how a company has handled such an event in the past, or even whether they have been hacked at all – can be quite telling.
To conclude, while cybercrime has become a ubiquitous concern, critical business operations still need to be undertaken – including those that require data handling and management online. Therefore, it is essential to partner with service providers who can prove their dedication to protecting valuable and sensitive information through certificates, protocols, adherence to federal laws, and proven track record of doing the right thing. With proper due diligence and by selecting the right service providers – enterprises can begin to take the steps necessary to effectively prevent these types of breaches in the future.