The Science and Art of Effective Data Security

Printer version  PDF

by Alan E. Brill & Brian Lapidus

In both the public and private sectors today, the very thought of the leak, loss, or theft of sensitive personal data should keep even the most exhausted CEO (and CIO) awake.

The risk is real. Data is streaming out of companies at an alarming rate, with at least one new breach reported daily. It’s expensive; one well-known data broker settled with the FTC for $15 million in damages. And it can be a moving target – a breach first described as the largest in history was later revealed to be twice as big as originally estimated.

Businesses, nonprofits and government agencies face a host of regulations making it clear that they have a responsibility to protect data, and to make significant attempts to retrieve compromised or lost data. The consequences of noncompliance can be severe, potentially resulting in financial penalties, reduced stock value, loss of customer confidence, and lost sales revenue.

Needless to say, it was a bit surprising when a global survey recently conducted by Kroll Ontrack revealed that 46% of respondents were not sure if their company even had a general policy to comply with the applicable regulations.

If organizations know the risks and the rules, what are they waiting for? One answer is that it’s simply human nature to wait until something happens before acting differently. What’s more, who will volunteer to ask the CEO for time and money to strengthen weak spots and establish checkpoints to prevent an incident that may never happen? Even the data breach legislation that proliferates at both state and federal levels in the United States is squarely focused on notification – attempting to regulate what must be done after a breach has been discovered.

Granted, savvy business leaders know that when a problem occurs they can turn to certain companies that are very good at containing and cleaning up the aftermath of a potentially devastating event.

Today, Kroll Ontrack is recognized as the world’s foremost data-recovery company, and Kroll’s Fraud Solutions practice is known for its comprehensive, integrated approach that addresses each phase of identity theft detection and mitigation. As professionals and leaders in our fields, our work on every project begins by asking “What is the best solution for this client?” Without question, the best solution starts before the breach occurs.

Because we work so many cases involving real-life incidents – not just sensitive data compromise, but hacking instances and failures of all sorts – we get a first-hand view of what goes wrong. We understand what constitutes effective security and when it’s not working right. And we see that many organizations tend to stumble over the same steps.

Critical elements are unidentified

Business users are unaware

Ask those questions of an IT person and you’ll get one answer. Ask someone in HR and you’re likely to get an altogether different reply. Certainly, it is neither feasible nor appropriate to expect everyone within the business to know all the functional and operational details. But it is imperative that the business users be involved in developing and testing the recovery plan.

The plan lacks senior level support

We also call this “Everybody talks about businesscontinuity and disaster-recovery planning, but few do anything about it – and fewer still do it well.” Consider the organization that was tasked by its CEO to cover businesscontinuity and disaster-recovery planning. A dedicated IT staffer researched, located, and arranged the purchase of a $30,000 program to manage the planning process. The plan called for each department within the company to define daily operations, data needs, storage timelines, and disposal requirements – all perfectly logical elements to be cooked-in to create appropriate security safeguards. Realizing that senior staff and core team members would be required to stop working toward key revenue drivers (long enough) to manage the assessment of their business units, the CEO sidelined the plan. That was three years ago. Unless something intrinsically influential has happened since, that $30,000 solution is collecting dust while the company continues to collect, store, share, and use sensitive personal data.

Warnings are disregarded

Following a data incident, Kroll Ontrack was brought in to complete a root-cause analysis. We gave the client company a short list of recommendations to remediate holes that were of great concern. We then got called in again several months later because another problem had occurred. In working on the second problem, we discovered that the company had ignored our earlier advice. Dealing with the same elemental issue the second time around caused that firm (and us) a ridiculous amount of aggravation and work. Especially in light of the fact that one of the key things we asked them to do would have taken about 90 minutes for one person to fix.

If it is human nature to wait and see if a problem will surface, it is business nature to resist bringing in outsiders to actively look for weaknesses. Now, multiply that opposition by three: one partner to establish or refine advance planning, another to recover data should a server go down or sites get hacked, and yet a third to manage notification and support for a leak of confidential customer or employee data.

We have found that a reputation for discretion and integrity will definitely overcome this objection. When a firm such as ours is comprised of expert units adept at highly specialized tasks, the client is reassured to know there is end-to-end service under one roof. Let’s look more closely at how the hand-off points work in this strong chain of action.

Planning

The consulting unit often begins with an analysis of policies and procedures, followed by physical security. HR’s methods of recruitment, background screening, and exit interviewing may be examined. The consulting team can help an organization identify and prepare a firstresponder team, ready to assemble and act if an incident threatens to disrupt the operation. Specialized software is used to find database transactions that could be symptomatic of problems (or missed opportunities). At every turn, the focus of this phase is on who has access to what, and whether the right kinds of controls are in place – and in practice. Consulting also mentors internal teams so that improvements made are then maintained.

Should the consulting group’s work uncover a data-related point of concern, Kroll Ontrack can immediately deploy a small team of very senior technical and engineering people to evaluate and test key security features of that client’s systems.

Recovery

The assessment may be completed in as few as three days, but in some cases it may take as long as 10 days. The objective is to identify any immediate crises waiting to happen, and to provide management with recommendations to address the situation.

If it is determined that an incident has already occurred, it’s important to understand what, why and how it happened, and what problems need to be remediated in terms of security. The data recovery team will also assist in determining what data was affected, and what happened to it. When that evidence indicates to the team that confidential personal information of individuals – customers, employees, students, members – was among that compromised, the focus shifts from containment to control.

At Kroll, our data recovery and computer forensics team has worked closely with our Fraud Solutions practice since 1999. It is not at all unusual to find both groups on the ground together at a client’s office, pinpointing what has happened and formulating a response.

Restoration

A comprehensive data-loss solution begins with a response timeline and action plan. Working in collaboration with the breached organization’s general counsel and senior executives, milestones are established for each stage to assure that established objectives are met. At the same time, a task group begins planning how to carry out notification rapidly and effectively, should it be required.

A primary challenge to notification is the need to navigate requirements that vary on a state-by-state basis. Notification in some states is dictated by the number of records compromised. Others have specific language parameters, still others require multiple notices to designated agencies, and a range of time frames must be met. Now add the logistics associated with validating contact information to produce and distribute what may amount to hundreds of thousands of letters.

Crisis communications and media management resources are readily integrated at this stage to ensure that a spokesperson for the organization is identified, and that appropriate messages are delivered when indicated. Beyond advising the compromised audience of the incident itself, it is critical that affected individuals be told simultaneously that help is available.

To suggest that an individual contact one of the three credit reporting agencies disregards the majority of the risk they may be facing. The Federal Trade Commission reports that less than 24% of identity theft is revealed by credit-related data.

Credit monitoring has made its way into everyday conversation when data breach and identity theft are the topics. But no fraud alert nor credit freeze – not even credit monitoring – will stop check fraud or tax fraud, or prevent a thief from selling stolen identities.

Companies that are intent upon retaining loyalty, reputation, and share value differentiate themselves by offering Identity Theft Restoration. True restoration gives exposed individuals access to experts who understand what happened, know what needs to be done if identity theft and fraud have occurred, and can take most of the burden off the victim’s shoulders to restore an identity to pretheft status.