BUSINESS COMMUNICATIONS SERVICES NEWS
SECURITY CONSIDERATIONS FOR FINANCIAL MARKETERS
IT SECURITY AUDITS OFFER WELCOMED SCRUTINY
2011 – DIRECT MARKETING MAGAZINE
While there are one or two areas of personal privacy that might be perceived as more sensitive than ﬁnancial information, it is surely at the top or very near the top of the list for most consumers and businesses. Theft of any sort is a harrowing experience, but the theft of personal ﬁnancial data can be devastating both in real terms for consumer and corporation and in intangible terms for a corporation with respect to public relations/perception.
There was a time 15 to 20 years ago when the notion of an IT security audit of a mail service provider by a client was a rare occurrence. Often it was enough for a provider to simply explain the physical security in their building, how data could be delivered and stored up until mailing, and start a relationship. Over time the rules of engagement become more restrictive and security ofﬁcers and risk assessment teams started to come into play. These specialists focused not only on the physical security of a supplier or partner that was performing data processing, imaging and mailing, but on the IT policies, hardware and software that said partner used in the course of their business dealings with customer’s data.
It’s not surprising that this shift occurred at a time when bandwidth and ﬁle transfers were changing dramatically. The days of magnetic tapes were coming to an end, CDs and DVDs were still big, but the speed and ease of transferring data over the internet was a welcomed change for agencies, production groups and clients alike because it saved money and precious time. It also broadened the ways into an organization. It wasn’t just doors and windows we had to worry about, but ports and IP addresses.
Back during those earlier times, there was a level of uncertainty that came with an IT security audit, since it was breaking new ground. For the most part the auditors had to ask difﬁcult, probing questions that were sometimes seen as an affront to the IT department (and are still at times perceived that way, although they are necessary). Those audits could be difﬁcult and occasionally had some political undercurrents. But some companies, like Cover-All, that paid attention to the comments, made IT security a focus as opposed to a necessary evil and invested their time and efforts into building infrastructure used these audits to develop IT security that could withstand scrutiny by any risk assessment department or third party ﬁrm.
Nowadays, there can be even more points of access, including Wi-Fi, Bluetooth, blackberry enterprise servers, and so on. The risk assessment questionnaires we normally have to complete top 150 questions or more and can take hours of resources to document and complete. Some audits will entail penetration testing whereby certain channels such as secure FTP sites or web portals may be tested for weakness by a security expert. The time and money an organization invests in its IT security how determines how well it reacts to an audit or even how comfortable it is with prospect of being audited.
The number of staff dedicated to IT security has expanded as well. Now we often see multiple levels of IT security on the client side and as a supplier we try to mirror clients in this way by having dedicated IT staff and accountability. Obviously the greatest amount of effort that will be invested (and where the majority of the data resides) is at the source. The source could be within the client company i.e. ABC Bank or with a large multinational IT partner. However, the amount of data being transferred to third parties these days means that while the risk decreases further down the line (because only speciﬁc pieces of data are being passed along to suppliers) and the required security can be less, there remains the need for a highly sensitive set of security standards and qualiﬁcations.
Though it is the ﬁnancial institution itself that will end up in the media if there is a security breach, its partners and service providers bear the responsibility of maintaining the security of the data in their hands and in the hands of their subcontractors along the entire chain. There are many organizations that can ﬁnd themselves in this supply chain, such as agencies, printers and services bureaus that must also take the time and invest the effort into scrutinizing their own systems but also those of their suppliers.
From a tactical standpoint the ﬁnancial services industry has always been fast paced. Things need to happen fast and over the years I’ve heard clients lament our policies as they pertain to data and security. Gone are the days of emailing data across the internet (there are too many points of entry where data can be intercepted) and data shared in PDF format is always encrypted. These practices take time and some added effort but they are crucial to security. The biggest challenge is setting up the procedures and then making them the standard between third-party vendors in these situations.
So what are companies doing in an effort to make their data as secure as possible when they release data for communication purposes? Everyone down the line has become more accountable and all intermediaries should be aware of and invest in a level of security and scrutiny when it comes to data. It is no longer acceptable for any parties to be complacent about this aspect of the business. As an organization we see more and more formal questions and auditing being performed by clients and we have started to see some of the intermediaries also become more sensitive to this aspect of their business.
Requirements can differ from client to client but the basics are similar across the board and we have viewed each additional piece as best practices in the industry. Whether you’ve been tasked with auditing or assessing your company’s risks, or are an organization in the middle trying to be proactive and assessing your security or the security of your subcontractors, it’s important to consider the basics.
Other categories that are important to watch for are access to the building (which is standard) but also how data is accessed and who has access. Speciﬁc areas such as server rooms might be treated differently with very restrictive controls in place. Enterprise-level software for virus and intrusion prevention is a key factor in how an organization will fair. Something as simple as password policies is another aspect of security. It sounds simple, but items such as password strength, how often passwords need to be reset, policies regarding password sharing and how many attempts are allowed before a device is disabled (to prevent theft) as well as periodic review are all important. The number of emails one gets these days can be overwhelming, but overwhelming emails that contain malicious links or executable ﬁles are a serious security issue. These need to be addressed, not at the user level but at the corporate level and ﬁlters need to be in place. Security procedures for mail operations should extend all the way down to basic actions, such as what happens to a spoiled letter that is personalized—our standard procedure is to shred all documents bearing personalized information. Cover-All has implemented production control software to track mail production from data arrival to the mail delivery truck to Canada Post. Another item that is geared more towards privacy is a policy for samples, which should use dummy John Q Sample data. These are seemly small and simple steps, but if a supplier isn’t willing to take these actions to secure your data, are they taking the big more costly and labour-intensive considerations seriously?
Organizations will take different approaches with the security of their staff, including having each employee sign conﬁdentiality agreements as well as background checks screened by thirdparty organizations (with the employee’s consent). It is part of the process that companies use to ensure all employees understand the reasons and requirements for IT security, and that staff is adequately trained for their role in dealing with clients’ data.
The size of organizations now showing an interest in the security of their data is getting smaller. Where it used to be only the large organizations that focused on IT security, with the proliferation of PCs and data gathering, mid-sized and even some small companies have enough data that they too are getting serious about protecting their assets and are taking more formal steps to achieve data security. As a supplier to the mailing community, we have made it our goal to meet or exceed those requirements in an effort to be seen as a valued partner that understands and appreciates that a client’s data is an asset with a value.
Assessing your security requirements and developing a plan for auditing your suppliers is not something that should be undertaken without serious thought and consideration and it should be developed by a professional with real-world experience and technical knowledge. As a respondent to security audits we have invested a considerable amount of time, effort and expense in understanding and adapting our processes to address the concerns of our most demanding clients. We see an audit as an opportunity for us to stand out among many of our competitors and we believe being audited gives us a competitive advantage over many of our peers in the industry.
Ask yourself, is my data secure? In this age of close media scrutiny no one in the supply chain can take IT security for granted. It’s no longer enough to have a desktop antivirus program and an alarm system on your door. Have you done your due diligence to ensure your data (or your clients’ data) is as safe as it can be? We all have a responsibility to the industry and to the public to invest an appropriate amount of time and effort to safeguard the data we use and it is incumbent upon all of us to ask those tough questions, because in the end it should be a welcomed scrutiny.