2011-Security Considerations For Financial Marketers

//2011-Security Considerations For Financial Marketers

2011-Security Considerations For Financial Marketers




John Leonard

While there are one or two areas of personal privacy that might be perceived as more sensitive than financial information, it is surely at the top or very near the top of the list for most consumers and businesses. Theft of any sort is a harrowing experience, but the theft of personal financial data can be devastating both in real terms for consumer and corporation and in intangible terms for a corporation with respect to public relations/perception.

There was a time 15 to 20 years ago when the notion of an IT security audit of a mail service provider by a client was a rare occurrence. Often it was enough for a provider to simply explain the physical security in their building, how data could be delivered and stored up until mailing, and start a relationship. Over time the rules of engagement become more restrictive and security officers and risk assessment teams started to come into play. These specialists focused not only on the physical security of a supplier or partner that was performing data processing, imaging and mailing, but on the IT policies, hardware and software that said partner used in the course of their business dealings with customer’s data.

It’s not surprising that this shift occurred at a time when bandwidth and file transfers were changing dramatically. The days of magnetic tapes were coming to an end, CDs and DVDs were still big, but the speed and ease of transferring data over the internet was a welcomed change for agencies, production groups and clients alike because it saved money and precious time. It also broadened the ways into an organization. It wasn’t just doors and windows we had to worry about, but ports and IP addresses.

Back during those earlier times, there was a level of uncertainty that came with an IT security audit, since it was breaking new ground. For the most part the auditors had to ask difficult, probing questions that were sometimes seen as an affront to the IT department (and are still at times perceived that way, although they are necessary). Those audits could be difficult and occasionally had some political undercurrents. But some companies, like Cover-All, that paid attention to the comments, made IT security a focus as opposed to a necessary evil and invested their time and efforts into building infrastructure used these audits to develop IT security that could withstand scrutiny by any risk assessment department or third party firm.

Nowadays, there can be even more points of access, including Wi-Fi, Bluetooth, blackberry enterprise servers, and so on. The risk assessment questionnaires we normally have to complete top 150 questions or more and can take hours of resources to document and complete. Some audits will entail penetration testing whereby certain channels such as secure FTP sites or web portals may be tested for weakness by a security expert. The time and money an organization invests in its IT security how determines how well it reacts to an audit or even how comfortable it is with prospect of being audited.

The number of staff dedicated to IT security has expanded as well. Now we often see multiple levels of IT security on the client side and as a supplier we try to mirror clients in this way by having dedicated IT staff and accountability. Obviously the greatest amount of effort that will be invested (and where the majority of the data resides) is at the source. The source could be within the client company i.e. ABC Bank or with a large multinational IT partner. However, the amount of data being transferred to third parties these days means that while the risk decreases further down the line (because only specific pieces of data are being passed along to suppliers) and the required security can be less, there remains the need for a highly sensitive set of security standards and qualifications.

Though it is the financial institution itself that will end up in the media if there is a security breach, its partners and service providers bear the responsibility of maintaining the security of the data in their hands and in the hands of their subcontractors along the entire chain. There are many organizations that can find themselves in this supply chain, such as agencies, printers and services bureaus that must also take the time and invest the effort into scrutinizing their own systems but also those of their suppliers.

From a tactical standpoint the financial services industry has always been fast paced. Things need to happen fast and over the years I’ve heard clients lament our policies as they pertain to data and security. Gone are the days of emailing data across the internet (there are too many points of entry where data can be intercepted) and data shared in PDF format is always encrypted. These practices take time and some added effort but they are crucial to security. The biggest challenge is setting up the procedures and then making them the standard between third-party vendors in these situations.

So what are companies doing in an effort to make their data as secure as possible when they release data for communication purposes? Everyone down the line has become more accountable and all intermediaries should be aware of and invest in a level of security and scrutiny when it comes to data. It is no longer acceptable for any parties to be complacent about this aspect of the business. As an organization we see more and more formal questions and auditing being performed by clients and we have started to see some of the intermediaries also become more sensitive to this aspect of their business.

Requirements can differ from client to client but the basics are similar across the board and we have viewed each additional piece as best practices in the industry. Whether you’ve been tasked with auditing or assessing your company’s risks, or are an organization in the middle trying to be proactive and assessing your security or the security of your subcontractors, it’s important to consider the basics.

First, does the company to whom data is being released have a data or IT security policy and privacy policy in writing? An organization that takes this part of their business seriously will have detailed policies. They may perceive the IT security policy to be intellectual property so they may allow you to review it but may not allow you a copy of it. The policy document will be an indicator of the level of importance and organization the company has applied to IT security. Adherence to and staff acknowledgement of PIPEDA (Personal Information Protection and Electronic Documents Act (2001)) are also indicators of how seriously a company takes the security of their data. After reviewing a comprehensive policy you’ll begin to understand the amount of effort that needs to be invested and you’re more apt to be able to spot organizations that due to time and money constraints or simple complacency are not taking data security seriously.

Other categories that are important to watch for are access to the building (which is standard) but also how data is accessed and who has access. Specific areas such as server rooms might be treated differently with very restrictive controls in place. Enterprise-level software for virus and intrusion prevention is a key factor in how an organization will fair. Something as simple as password policies is another aspect of security. It sounds simple, but items such as password strength, how often passwords need to be reset, policies regarding password sharing and how many attempts are allowed before a device is disabled (to prevent theft) as well as periodic review are all important. The number of emails one gets these days can be overwhelming, but overwhelming emails that contain malicious links or executable files are a serious security issue. These need to be addressed, not at the user level but at the corporate level and filters need to be in place. Security procedures for mail operations should extend all the way down to basic actions, such as what happens to a spoiled letter that is personalized—our standard procedure is to shred all documents bearing personalized information. Cover-All has implemented production control software to track mail production from data arrival to the mail delivery truck to Canada Post. Another item that is geared more towards privacy is a policy for samples, which should use dummy John Q Sample data. These are seemly small and simple steps, but if a supplier isn’t willing to take these actions to secure your data, are they taking the big more costly and labour-intensive considerations seriously?

Organizations will take different approaches with the security of their staff, including having each employee sign confidentiality agreements as well as background checks screened by thirdparty organizations (with the employee’s consent). It is part of the process that companies use to ensure all employees understand the reasons and requirements for IT security, and that staff is adequately trained for their role in dealing with clients’ data.

The size of organizations now showing an interest in the security of their data is getting smaller. Where it used to be only the large organizations that focused on IT security, with the proliferation of PCs and data gathering, mid-sized and even some small companies have enough data that they too are getting serious about protecting their assets and are taking more formal steps to achieve data security. As a supplier to the mailing community, we have made it our goal to meet or exceed those requirements in an effort to be seen as a valued partner that understands and appreciates that a client’s data is an asset with a value.

Assessing your security requirements and developing a plan for auditing your suppliers is not something that should be undertaken without serious thought and consideration and it should be developed by a professional with real-world experience and technical knowledge. As a respondent to security audits we have invested a considerable amount of time, effort and expense in understanding and adapting our processes to address the concerns of our most demanding clients. We see an audit as an opportunity for us to stand out among many of our competitors and we believe being audited gives us a competitive advantage over many of our peers in the industry.

Ask yourself, is my data secure? In this age of close media scrutiny no one in the supply chain can take IT security for granted. It’s no longer enough to have a desktop antivirus program and an alarm system on your door. Have you done your due diligence to ensure your data (or your clients’ data) is as safe as it can be? We all have a responsibility to the industry and to the public to invest an appropriate amount of time and effort to safeguard the data we use and it is incumbent upon all of us to ask those tough questions, because in the end it should be a welcomed scrutiny.

For further media information please contact John Leonard 416.354.4210

By | 2018-08-22T13:58:03+00:00 June 5th, 2011|Categories: Direct Marketing News|0 Comments
Share On Linkedin
Contact us