Infotech Lead India: Vishak Raman, senior regional director, Fortinet India &SAARC, says enterprises can prevent reputation loss and hefty fines by educating their employees, implementing role-based data loss prevention and accurately identifying the locations of their data.
Personally identifiable information — the words are tossed around constantly in the news, by security folk and with increasing frequency, by any organization forced to disclose a data breach.
When used in the latter context, it’s almost always because personally identifiable information (PII) — data that could be used for identity theft purposes (any unique piece of data that can be linked to a specific person, such as name, address, date of birth or telephone and social security numbers) — had somehow been exposed or gotten into the hands of cybercriminals.
In the last few years, broader adoption of compliance regulations across Asia Pacific have lent new importance to PII protection, lighting a fire under the feet of organizations to bolster security mechanisms. The rising tide of identity theft incidents ultimately prompted legislators and industry officials to implement national and industry-specific compliance regulations as well as data and encryption laws. Failing to comply with these laws could result in costly fines and other business-related penalties for organizations.
It doesn’t help that identity theft has only continued its upward trajectory as cloud collaboration platforms, social networking, mobility and other IT trends have paved the way for cybercriminals to pilfer users’ most personal information from the Web. Along with the growing number of data breaches each year, enforcement mechanisms are only becoming more punitive for all sectors, as more organizations routinely handle and store a customer’s most sensitive personal information. For instance, there has been an increase globally in publicly traded companies requiring SOX certification, banking and financial companies driving tighter GLB regulations and more businesses using credit cards as the primary form of payment.
Protecting PII data within these types of organizations will become not only critical to the livelihood of their business, but will help keep executives from realizing hefty fines—or worse, jail time.
While financial penalties for non-compliance can be more than hundreds of thousands of dollars, these fines can easily be exceeded by the costs of “clean-up” and remediation, should customer PII be either accidentally or maliciously exposed in an actual data breach. Such “clean-up” includes physical letters to the entire database, resources to deal with customer queries and possibly manufacturing costs of new credit cards, not to mention reputation loss. These accumulated costs could be enough to take a company out of business.
Due to the astronomical expenses, the threat of loss or exposure to PII is enough to strike fear in the hearts of IT administrators and keep the highest ranking C-level executives up at night.
Keep in mind, of course, that data is never 100 percent secure, especially when stored on Web facing servers and undergoing routine transactions on moving applications. However, there are some best practices organizations can apply to shift the odds a little more in their favor.
Management and employee education is a key factor in mitigating an organization’s risk. Which is where appropriate security tools come into play. In particular, role-based data loss prevention products not only trigger, record and alert IT administrators to such breaches, but also give security personnel the ability to react to them. Those mitigation techniques could range from archiving data transmission, to alerting management to quarantining a user or vector from further transaction until the threat was sufficiently addressed.
But in this case, knowledge empowers, and one of the most important steps an organization can take will be to comprehensively assess the location of all of their risk areas. Essentially, that means companies will need to determine where all of their PII is stored, who has access to the information and how PII moves, both within and outside the confines of the organization. Once that information is discovered and catalogued, the onus will be on IT administrators to implement appropriate security policies protecting that data.
Vishak Raman, senior regional director, Fortinet India &SAARC