The estimated number of people affected by the Equifax data breach is 145.5 million. If the world ever needed proof of the existential threat posed by the frightening combination of sophisticated hackers and inadequate security measures, this is it on a staggering scale.
Yes, the digital economy has brought dramatic advances in the capacity to collect, store, analyze, and process enormous amounts of information and data, extracting key insights and critical value for clients and customers. And yes, all of this progress has benefited both business and society. But it comes at a price, and that is eternal vigilance.
The root problem is that digital technology has created a vast storehouse of valuable and vulnerable data, much of it personalized information from individual consumers. And this puts a huge and costly burden to protect this data on all companies that collect, store, and use it.
Security is not just an IT problem. Interacting with customers requires access to their personal customer information on a granular level. Today’s digital interactions are also omnichannel, likely involving a traditional phone call, but it is increasingly likely to also include a communication involving chat, email, SMS, social media, or perhaps all of the above. Each channel is an access point and a potential vulnerability. A comprehensive solution to data security requires a holistic, multilevel approach to defeat or neutralize the threat.
That means much more than just having the right security software. Businesses, governments and other organizations that have valuable or sensitive data to protect must develop and nurture an internal culture dedicated to protecting sensitive customer data. It requires a mindset that makes data security a primary objective for every employee, no matter their official duties and responsibilities.
We have worked for years to establish and maintain such a culture. Adhering to a handful of key steps will help any business do the same and go a long way to ensuring the security and integrity of the enormous store of sensitive customer data under their care.
These steps are basic but crucial:
First, initiate a rotating system of regular third-party security audits of all operational sites, reviewing contractual and government-mandated compliance along with other areas of the business, including procedures and protocols at IT data centers. We use a 24-month rotating schedule of our operational sites, to make sure we have an independent, external view of our operations, systems, and processes. These third-party reports are presented to the board.
Second, establish uniform company-wide policies for data security, including such seemingly routine rules as requiring all employees to keep clean desks and isolating personal devices that can store and transmit data. Basic guidelines should cover everything from log-in access and badge credentialing to infrastructure hardening and facility design. These policies set the benchmark of what is or is not acceptable within the company and should be overseen by a representative governing body established to manage, coordinate, review, and resolve issues that arise.
Third, build and maintain robust security software that allows managers to identify issues early and mitigate their impact. Any security system must also include fraud prevention and detection tools that monitor operations literally at the keystroke level. Lessons learned can then be quickly communicated and translated into targeted training for affected work groups based on risk or compliance concerns.
Fourth, train everyone. Mandate security and compliance training at all levels, from the most junior employee to the executive suite. Maintain a hotline to encourage open communication and reporting of fraud and potential data security concerns. Our holistic approach integrates compliance, security, and data privacy into one function, managed by one senior executive. This allows us to move fast to mitigate potential issues across any of these disciplines.
The fifth and final safeguard should be to control, document, and learn from experience. We use the data we have collected from our audits and incidents, as well as feedback from our operations teams, to continually improve our processes and develop better tools. We also look to outside organizations to understand what is happening in the global marketplace with regards to security and share our own experiences and lessons learned with our clients and the data security community at large.
Maintaining this level of vigilance requires significant investments in hardware, software, training, and personnel. But in a hostile environment with increasingly capable and well-organized hackers what alternative do those charged with protecting enormous stores of sensitive digital information have? There really is none.
The author of this article, Daniel Julien, is founder, chairman, and group CEO of Teleperformance.