If your business has anything worth protecting, whether it’s money, intellectual property, or a trusted reputation, you need to be concerned about the security embedded in your organization.

No company wants to experience a data breach – that much is obvious. As it is well-known by now, a data breach can have a major impact on a business. Perhaps most notably, an organization that experiences a data breach will likely see its reputation suffer, and will quite possibly receive serious fines from the federal government or other regulatory bodies. Depending on the nature of the data exposed and the consequences of the event, a business may also eventually face lawsuits from affected individuals.

As serious as these consequences are, they do not represent the total effects that an organization may experience in the wake of a data breach. In many cases, an incident can have far-ranging, costly, difficult-to-predict effects, which is all the more reason why firms of all kinds should invest in a security strategy.

Balancing protection and productivity

With the number of mobile devices now in the hands of consumers and employees alike, data security is more important than ever before. How much is your data worth? You need to protect it against accidental loss and theft from both insiders and outsiders. Plus, more and more people are working away from the office. Without data, employees can’t work. How do you balance protection and productivity?

Mobility is having an extraordinary impact on the nature of computing in the twenty-first century. It offers many dazzling opportunities that also bring with them some profound challenges related to security and privacy. What are these challenges and how are they manifesting in enterprises throughout the world?

Take steps to safeguard your assets

I recently came across this article reporting that each mobile computing mishap In your company could cost almost half a million dollars. Like the author suggests, the number is too large to ignore. Companies that have jumped into a mobile workforce must take these steps to safeguard their assets:

1. Don’t overlook mobile security; it’s too important to your company
2. Build a successful enterprise strategy for mobile security
3. Educate employees about their personal responsibilities
4. Raise end-user awareness about emerging threats and corporate mobile device security policies
5. Proactively prevent mobile security breaches

While there are challenges to meet, mobile computing offers dazzling opportunities that will impact, businesses and users in every country and will continue to blur geographic boundaries. Where will it end? The possibilities are endless.

Does your company have a mobile security strategy in place? Have you considered the consequences of not making it a top priority?

“Human factor” is often cited as one of the weakest links in security. With the proliferation of mobile devices and the rise of a digital identity, users find it difficult to manage their passwords. As a consequence, many users resort to a simple but insecure practice of not using passwords or passcodes on their mobile devices.

Enforcing complex or frequently changing passwords exacerbates the issue. An optimal solution is always a compromise between usability, security, and cost.

It is imperative that proper risk management be applied, and security controls implemented, to maximize the benefits while minimizing the risks associated with such devices.

Use it; don’t lose it.

Losing your smartphone or tablet, or the information on it, can be a hassle. If you lose your mobile device, you not only have to replace it, but you could also lose the sensitive information you had stored on it, including account numbers and confidential work information. So, why do so many of us leave our mobile devices unprotected and not use mobile security?

Most of us now understand that we need to protect our computers from the myriad of threats that we see each day. But many of us don’t realize that we face the same threats, as well as a host of new ones, with our mobile devices.

Considering how much we rely on our mobile devices, and how much opportunity cybercriminals have to launch attacks against them, you’ll want to make sure you are protected.

Manage your risk exposure

As mobile technology companies continue to innovate over the coming years, organizations using these technologies will need to continuously assess the security implications of adopting these advancements. A consistent and agile multiperspective mobile security risk assessment will enable evaluation of the risk exposure in these systems.

Mobile devices have been, and continue to be, a source of security incidents. These stem from issues such as device loss, malware, and external breaches. As the availability of human resources and systems continue to be critical to society and business operations, it stands to reason that mobile device usage will continue to escalate, as will the features these devices offer, and the potential for compromised security.

As a user of a mobile device, start with the basics. Begin by using a strong password! What other human-factor security solutions can you think of?

Today, mobility is the driving force within consumer packaged goods and retail markets. As consumers with smartphones, we tend to rely on our mobile devices while shopping. We share pictures of products with friends and family, scan barcodes and compare prices, research product features and availability, find store locations, and hunt for deals and coupons. One in five smartphone users buy goods or services through their mobile phones.

Smartphones and tablets are the way customers will discover your brand, browse your products, receive offers, purchase products, and contact customer care.

CPG companies face many information security issues. These include the challenges of creating visibility and a business case for security, ensuring the security of third parties, securing sensitive data, and security manufacturing systems in plants.

Keeping this mind, I sat down with Mike Gillespie, Lead Channel Manager of Consumer Packaged Goods at AT&T, to gain some deeper insights into the trends for this vertical market:

1. What is the technology vision for the CPG in 2013?

MCG:  The primary focus is the Customer Experience and having the right people/processes/technologies in place to deliver on the customer experience.  The responsibility of the brand is to have the right product, in the right place, at the right time in the customer’s buying channel of choice (Omni-channel).

2. How does security play a role?

MCG:  Security is paramount to delivering a great customer experience, from enabling a secure/personal web/mobile experience and ensuring a secure path to purchase to protecting the personal/private information of the customer.

3. Why does privacy matter in CPG?

MCG:  Leading CPG firms have moved from a transactional relationship with customers to an interactive one-on-one relationship with customers. Customer loyalty is based on respecting the relationship with the customer, delivering on the customer experience, and securing/protecting the details of the interactions between the customer and the brand.

4. Do you see the need for a holistic strategy around security/privacy based on information protection?

MCG:  Security is not an island and does not stand on its own; security should be inherent throughout every interaction between the brand and the customer.  To put it another way, security is “table stakes” for enabling and delivering a great customer experience.

5. Speaking of information, what is the buzz about big data?

MCG:  Big data holds the promise of being able to provide much deeper insight into the customer experience and enabling the CPG firm to deliver a “highly personalized brand experience” to their customer(s).  Big data can be overwhelming for CPG firms who are not ready for the tsunami of information generated by all of their customer touchpoints. Brands that are able to gain actionable insight from big data and use that insight to deliver the appropriate customer experience will have an advantage over those that do not.

What does big data include? MCG:  Mobile, social, location, M2M, and related technologies have created a huge amount of unstructured data.  The combination of structured and unstructured data has created a flood of customer data and CPG firms are looking for ways to monitor, capture, analyze, and create actionable programs from this information and insight.

6. What is the intersection between big data and security intelligence?

MCG:  I’ll take us back to the beginning of our discussion…it all begins and ends with the customer experience.  There’s a great deal of responsibility placed on the brand to deliver the customer experience, respect the brand relationship with the customer, and ensure to the greatest extent possible that interaction with the customer is personal and secure. Big data and technology can enable the customer experience, but big data is only information and technology is only a tool. At the end of the day, they support solutions designed, architected, and implemented by people.  The brand relationship with the customer is a personal relationship. That’s something that leading CPG firms understand, while laggards are struggling to get there.

What would you like to hear about specific to the security challenges in this space?

The final rule updating HIPAA Privacy, Security and Breach Notification requirements creates a presumption of breach when an impermissible use or disclosure of PHI occurs and increases the fines for breaches. It also applies HIPAA directly to business associates and to some of their subcontractors and mandates changes to the notice of privacy practices given to patients.

What does this mean for your business? The Final Rules reiterate the importance that healthcare providers meet stringent requirements for patient privacy and data security. Today, however, their financial exposure has grown, given the aggressive enforcement posture that OCR has adopted towards organizations that have lax privacy/security postures.

Highlights from the final ruling:

• Many of HIPAA’s privacy and security requirements will now directly apply to business associates.
• Business associates may also be liable for the increased penalties for noncompliance based on the level of negligence up to a maximum penalty of $1.5 million.
•  Subcontractors of business associates will automatically become business associates themselves.
• The definition of breach is changed so that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised.
• Breach notification is not required if it is demonstrated through a risk assessment that there is a low probability that the protected health information has been compromised, rather than demonstrate that there is no significant risk of harm to the individual as was provided under the interim final rule.
• The final rule also identifies the more objective factors covered entities and business associates must consider when performing a risk assessment to determine if PHI has been compromised and breach notification is necessary.
• Patients can request a copy of their electronic medical record in an electronic form.
• There are new limits on how information is used and disclosed for marketing and fund-raising purposes; in particular, the sale of an individual’s health information without permission is prohibited.
• An individuals’ ability to authorize the use of his/her health information for research purposes will be streamlined.
• The final rule is effective on March 26, 2013; the compliance date is 180 days thereafter (September 22, 2013).  Covered entities and business associates will have up to one year after the 180-day compliance date to modify contracts in order to comply with the new rules.

Healthcare information flows

The flow of healthcare information follows the patient, starting at the doctor’s office, to laboratories, imaging centers, pharmacies, and other care facilities. This natural flow of medical records provides many points where information security must be considered and proper processes implemented.

The increasing interconnection, while extremely beneficial for patient healthcare, also raises risks related to patient privacy and confidentiality. There is a heightened consumer awareness regarding privacy of sensitive information, and the potential impact of reported data breaches has caused consumers to expect and demand protection of their personal health information.

As healthcare operations benefit from advancing technologies that promote information sharing, it is necessary to build and use the appropriate information protection framework to preserve the integrity and protect the confidentiality of Protected Health Information (PHI) and Personally Identifiable Information (PII).

Information protection evaluation checklist

Here is a list of questions that can help get you started with building the health information protection framework around the key elements.

Strategy and Awareness

• Have you developed a health information protection strategy that encompasses the key elements of HIPAA and the HITECH Act?
• Have you performed a recent assessment to determine your compliance posture with the HIPAA Privacy/Security Rule?
• Have you prepared security awareness programs to promote the education of Health Information Privacy and HITECH requirements within your organization?

Information Security and Privacy 

• Have you reviewed and updated Notice of Privacy Practices to reflect changes in privacy and security policies?
• Have you made updates to your security policies and program to reflect the changes in regulatory standards?
• Have you evaluated the restrictions on the sale and marketing imposed by the HITECH Act?

Security Technology and Operations

• Have you developed a detailed Breach Notification Policy that complies with HITECH and any state law counterpart to the new federal breach notification provisions?
• Have you evaluated access management if using EHR (individual’s right to access) according to the HITECH guidance?

Risk Management

• Have you expanded your Business Associate Inventory to include vendors and other related services?
• Have you updated Business Associate Agreements to include expanded new requirements?

While data security requirements such as HIPAA and HITECH impose mandatory requirements, many health practitioners and organizations recognize that protecting healthcare information and ensuring consumer privacy is also a good business practice that leads to satisfied consumers. The increasing exchanges of health information bring new challenges in privacy and security as the industry becomes more and more interconnected. The security and privacy of patient data is a key element in creating a secure healthcare information infrastructure. The magnitude, complexity, and dynamic nature of developments affecting the exchange of health information demand a broad and flexible information protection strategy. This information protection strategy must encompass risk management and governance policies so that people, processes, and technologies can provide for the growing security and privacy requirements for proper treatment of health information.

There is a revolution in health information and health IT, moving toward EHRs, HIEs, ACOs, analytics, outcomes-based research, mobile, telemedicine, social media and other new and secondary uses. The new HIPAA changes will have immediate consequences, and the handling of health information is increasingly a regulated and complex area with heightened penalties and disclosure requirements for breaches and missteps. It is important for organizations to understand the financial and operational implications and develop a well thought-out strategy to remain in compliance and support the new health information uses, health IT, and channels.

As the growth of e-business and use of the Internet to automate data-intensive functions has driven many organizations to open their networks to wider audiences, the ability of hackers to continually evolve with security initiatives has created a difficult cycle for many organizations to keep up with.

A shift in hacker objectives from notoriety to economic gain has occurred. At one time, fame was a primary incentive for hackers to take advantage of system and network vulnerabilities. Today, systems and applications are increasingly exploited for financial gain. Today’s cyber-attacks are sophisticated and organized. This change in motivation has resulted in a change in methods, which have made system exploits harder than ever to detect and mitigate.

Who Are the Targets?

In fashion, one day you are in, and the next day you are out. The same goes for the target of a hack, believe it or not. The popularity of a certain mobile device, shopping website — or even for that matter universities at the time of college admissions — are some of the targets handpicked by hackers using logic that combines research and a well-planned inclusion and exclusion criteria. These attacks are not random as many people think. They are targeted and precise. And they are made easier by the different facets of innovation rapidly occurring, including social media.

Social networking is making it easier than ever for hackers to mine personal information, allowing them to craft very effective spear phishing emails, which are top of the food chain as far as lethally effective vehicles for malware delivery and ultimate network penetration.

The Race against the Hack

With the cyber-threat landscape maintains its ever-evolving, fluid state, perfect cyber security is simply impossible. The very nature of cyber security today has become reactive. As threats get developed and exploits get exploited, there is always some victim at the starting point that had to experience it before it’s identified, exposed, documented, and before fixes or patches are built to eradicate the problem.

Hackers are adapting more quickly than software and operating system vendors can defend against with patches and workarounds; often, hacker exploits are so targeted that there are no signatures to stop them. And in addition to broad-scale worm and virus outbreaks, IT organizations need to protect against network threats that are specifically designed to avoid detection and bypass traditional defenses.

Cyberspace, the fifth dimension of warfare, has already become an important arena of world politics. The lines between war and peace have blurred.  And what is developed for one purpose can easily spill into the hands of others.  What’s next and how will it affect what you are trying to protect?

What’s a CIO to Do?

The industrialization of hacking has created a global ecology where threats are increasingly sophisticated and constantly evolving. CIOs need to turn the tables to stay ahead of hackers, while still being mindful of resource and budget constraints.

CIOs should employ a contemporary security strategy which first addresses the fundamentals of visibility, control, and flexibility. While there are some tectonic forces driving the evolution of hacking, the ever-evolving security threats are not insurmountable. And no organization can afford to underestimate them.

Organizations have to work out how to control access to their cloud and how to maintain its privacy over the long term. Here too, security will have to keep up with the pace of innovation. Standards will change, new operating systems will be released, and new devices will be introduced over time.  For IT to continue supporting such new devices and systems, organizations have to ensure that their cloud architecture is flexible enough to continue supporting new changes, and to put in place a security plan tailored for the confluence of mobility, social media and cloud.

Security not a one-size-fits-all matter

Information security cannot be prescribed in a single checklist that suits all organizations. Information security is about adopting the right measures and controls for a given entity at a given point in time. Threats change and vulnerabilities are introduced or removed, demanding that security evolves simply to keep pace.

Businesses have more information to protect at more points against more threats than ever before. In such an environment, businesses can build an effective defense only after they first understand the peculiarities of today’s threat landscape and then identify their own specific areas of vulnerability. Armed with this information, enterprises can then develop an information security blueprint that is right for them – one that is comprehensive, proactive, enforceable, and manageable.

To mitigate the risks associated with these technologies, organizations should consider moving away from traditional models of security to multi-layered security and compliance strategies that include a combination of trust, policy and technology.

Taking an information-centric approach

One way organizations can navigate these vulnerabilities is to assess, transform, manage and optimize an end-to-end security environment using an information centric approach.

Where should you start? What initial steps can an IT leader take to adopt an information-centric approach?

• Understanding the increased level of risk exposure resulting from the adoption of cloud, mobility and social media
• Ensuring the applications handling sensitive data are secure in a potentially hostile environment
• Establishing mechanisms to detect and alert any potential security breaches, data loss and/or exposure of intellectual property or personally identifiable information
• Reviewing and establishing service contracts and SLAs with service providers to address the lack of direct control an enterprise has over certain infrastructure security operations, and also clearly documenting roles and responsibilities

For more information and thoughts on this topic from Gartner analyst Lawrence Orans and AT&T’s Todd Waskelis, listen to the replay of our webcast: “Security from your Pocket to the Cloud.”

The rise of service relationships presents organizations with different risks emanating from the increasingly large and diverse network of external business partners. These new business realities pose a significant challenge for firms, as the negative impact of third-party compliance or security failures becomes increasingly severe, resulting not only in significant financial losses, but also operational disruptions and long-term reputation damage.

Reducing exposure and building relationships

With increased regulatory scrutiny, continuing cost pressures, active investors, and a vigilant public, businesses must have a clear understanding of the risks that are inherent in external business relationships. Organizations are striving towards being risk intelligent, and by recognizing and proactively addressing these third-party issues, business leaders can reduce exposure to risk and achieve stronger relationships with service providers, suppliers, and delivery partners. The ultimate goal: A nimbler, more responsive, and more profitable business model.

Many organizations are increasingly concerned about how they should address the risks inherent in relationships with third parties. Risks beyond the financial include those associated with privacy, information security, social responsibility, and the effect that third-party relationships can have on an organization’s reputation and brand.

4 conversation starters for third-party risk management

As companies grow more dependent on a wide array of third-party relationships, they are acknowledging the need for oversight and monitoring of related risks, as well as verification of their third parties’ self-reporting. Identifying the most critical relationships, establishing a monitoring program, and maintaining open communication are critical aspects of third-party risk management and organizational governance.

Board members can start the conversation today by asking management some targeted questions related to third-party risks:

1. Does our company have a full inventory of its relationships and agreements?

2. Have we performed an assessment of the risks to the business or the brand for each of the relationships we have?

3. Who owns the assessment of risks?

4. What are the key relationship risks and what are the processes we have in place to manage them? Who is responsible for risk management and monitoring?

These questions can serve as a springboard for meaningful conversation. How is your business preparing and maintaining your third-party risk management programs? Do you want to be known by the company you keep?

While I was listening to Jenny Evans of Human Performance Institute talk about why should we wait for the worst to happen before making a needed change, I realized that in the security space, we tend to do the same thing.

Unfortunately, we have seen many organizations focus time and money on security after they have suffered a data loss or had a reputation/brand impact due to security breaches. We often hear the advice to take a proactive approach rather than a reactive approach, but tend to ignore the obvious value of a proactive approach.
At the heart of any successful initiative is a well-defined process. Clear objectives, metrics, process flows, and role definitions ensure consistency and enable continuous improvement.

 Before you embark on a proactive, and preemptive, security strategy, here are few tips to help with your journey:

1. Knowledge is power

Organizations today need to recognize that their security is going to be compromised. A comprehensive approach must take into account that prevention is ideal, but detection is essential. In order to provide proper protection, an organization must have a list of all critical information and business processes that utilize that information, with all of this mapped to systems within the environment.

An organization cannot protect what they do not know. If the offense knows more than the defense, an organization will lose. Once accurate information is gathered, everything in security must map back to risk.

Before an organization spends a dollar of their budget or an hour of their time on security, it should always answer three questions:

1. What risk are we addressing?
2. Is this the highest priority risk we have?
3. Is it the most cost-effective way to reduce the risk?

2. Executive Support Critical to Success

The need for executive management support may be an obvious point, and it may be the most important success factor. If the organization’s leadership team is not ready to dedicate resources to security and risk assessment, discuss risk tradeoff decisions openly, and have business owners sign-off on acceptable risk, then a bit of ‘internal marketing’ may be needed. The business case for risk management will need to be communicated so the benefits of a proactive, risk-based security program are understood.

3. Dedicate Sufficient Resources

Related to executive support, it is essential that the Chief Security Officer dedicate sufficient resources for the annual risk prioritization and budgeting process. Demands vary by team size and industry; however, a single leader should be identified to own the process and be given sufficient time to facilitate evidence collection, initiate risk discussions with business leaders, and develop deliverables to make informed decisions.

4. Gain Visibility through Metrics

Metrics provide visibility, accountability, and demonstrate the value of the security program. The following are some baseline metrics to consider:

• Percent of business lines involved annually (or semi-annually) in risk assessments, including IT
• Number of risk assessments performed
• Number of incidents not covered in existing risk assessments or miscalculated

The cyber threat continues to evolve and disguise itself with ingenious techniques to circumvent most traditional information security programs. To mitigate the risks of these advanced threats effectively, organizations should expand their current capabilities to include proactive, continuous monitoring, while enhancing existing security practices to leverage cyber intelligence.

Is your organization waiting for a catastrophe to happen before developing a security program? Or are you taking a proactive approach to avoid a damaging event?

From POS systems – from ATM and Interact machines to guest paperwork — you’re providing plenty of sensitive information to hotels, restaurants and bars.

Let’s start by looking at the information assets that a typical hotel possesses:

•  Financial information stored in accounts systems
• Customer information, including bookings, names, addresses and credit card details stored in Front of House (FOS) systems
• Stock and transaction information stored in food & beverage systems
• Key card data
• A multitude of sensitive emails, spreadsheets and other documents

Anyone who travels is familiar with rewards cards and points, as well as the front-desk phrase: “Should we charge your bill to the credit card we have on file?” But is that information being protected as well as it should be? Even though information security is not the primary service provided by hotels, it is expected that the information collected from travelers will be properly handled and secured.

Information security exposure points well known in the hospitality industry. In these trying economic times, risk associated with these exposure points is increasing. That’s why it’s time to end the “it won’t happen to us” syndrome and move information security up the priority list. Below are some steps that can help mitigate risks posed by common points of exposure in the hospitality industry:1. Focus on Information Security: As the economy has fundamentally undergone a meltdown, it is important to focus on securing information and assets as an organization while maintaining a secure infrastructure that enables business operations. Introduce a security policy that all staff are aware of and fully understand.

1. Adopt a Risk-Based Security Program: Incorporate a risk-based approach to security, especially during times when you have to make spending decisions on security. It is always better to take a proactive approach to security than a reactive one and only through a strong risk management program can these decisions be made effectively.
2. Focus on Security Awareness: Take steps to propagate your organization’s security strategy beyond your IT department. No better investment can be made to protect against insider threats and targeted attacks against employees, which rise during times of economic downturns. Ensure that the policies and procedures related to your information security program are being followed and working.
3. Think About Intellectual Property (IP) Protection: The purpose of IP is to protect investment in the branding, design, technology and creative works that give one supplier an edge over its competitors. Your IP is your business; protect it as such.
4. Think of Security as a Business Enabler: Process re-engineering and optimization projects can find efficiencies in information systems processes that can be turned into cost savings. Consider outsourcing non-core competencies to a managed security services provider, and focus internal resources on tactical and strategic activities rather than managing technology.
5. Conduct Compliance Assessments Regularly: Perform health checks on your security posture and ensure that you remain compliant with regulations regardless of the economic climate. The ultimate goal of compliance is to be secure – and not just on paper. For every compliance dollar spent, a corresponding measure of risk should be reduced. Otherwise, your compliance dollars are not being effectively spent, and may even be wasted. Risk reduction should drive compliance, not the other way around.

What is your business doing to move security up the priority list?

When we talk about mobile payments we usually get the same reaction from people: excitement and anxiety. We as human beings love convenience and gadgets that make everyday life easier. That said, we’re risk averse when it comes to our money.

With more sensitive data being held on smartphones, new security threats have emerged. Mobile users list remote access by hackers, interception of calls or data, device theft, or loss and the installation of malware and viruses, among their greatest concerns. Many of the threats that originated online are also moving to the mobile environment, including Distributed Denial of Service (DDoS) attacks, crimeware botnets, and “hactivist” groups such as Anonymous.

To reduce these inherent risks, organizations must look to adopt a mobility security strategy that addresses the mobile threat landscape.

Given the fact that in the near future mobile payments will enjoy rapid uptake, mobile network operators and financial institutions are challenged to provide a service that transmits payments quickly and reliably. Merchants are also looking to adopt mobile payments on a larger scale. While doing so, they are looking for industry expertise and guidance.

The PCI Security Standards Council issued a new document this month that explains its views on mobile payment security, and provides guidelines for how merchants can securely accept payments using mobile devices such as smartphones or tablets. Mobile payment security isn’t a one-size-fits-all challenge, however it is important to craft the mobility security strategy while delving deep into the world of mobile payments.

I was reading Abhi’s post on foiling the modern day Bonnie and Clyde and as he points out, the threats aren’t limited to computers. Our always-on mobile devices are ripening into a juicy opportunity for cybercriminals as we perform more transactions on the go.

Information security is not a “check the box” compliance exercise. No single solution can inoculate a network from attack, and protecting information is not solely IT’s responsibility. Instead, the new integrated security approach is predictive and organization-wide. It proactively protects while anticipating the worst. It embraces rather than bans. It focuses on trust, not paranoia.

By rethinking your information security strategy and using an integrated security approach, your organization can manage the right risks and drive value in the era of mobility.