Kroll’s Fraud Solutions division released its data security forecast for 2011. The US consultancy pointed to the key areas where businesses will see the most noteworthy changes with regard to new data security regulations, breach vulnerabilities and protective measures.
"There is no question that the events of 2010 will impact how organisations approach data security in 2011," said Brian Lapidus, chief operating officer for Kroll’s Fraud Solutions division. "Expected changes run the gamut from how organizations prepare for and respond to a breach to the types of breaches they will confront. Organizations can stay ahead of the curve by making sure that they are up to speed on the changing risks – from the top of the organization down."
Forecast:
* 1. More small scale breaches will make headlines. Now that healthcare entities are required to report breaches affecting 500 or more individuals, expect to see an increase in the number of smaller scale breaches reported. Further, as all companies increase data security measures, system audits will bring to light breaches that may have been overlooked in the past. This is not to say that the era of the massive, Heartland or TJX-style breach is over, but they may be matched by small-breach frequency.
* 2. “Low-tech” theft, where data is stolen through non-electronic means, will increase. Data thieves look for the path of least resistance, focusing on areas of least attention to the organization. Because most organizations are focused on improving technology and moving from paper to electronic records, expect to see more low-tech data theft on the horizon – such as the bank teller convicted of identity theft for writing down customer information on sticky notes and using it to open credit accounts.
* 3. The continuing crisis of lost devices will dominate the data theft landscape. Organisations rely on portable devices – Smartphones, netbooks and laptops –for anytime, anywhere connectivity. Yet, stolen or missing devices continue to be a major source of data breaches. In fact, the US Department of Health and Human Services breach list indicates that 24 per cent of reported breaches were due to laptop theft – more than any other specific cause. Expect to see an increased number of instances and warnings of mobile vulnerabilities and scams – similar to the recent increase in smishing (SMS or text phishing).
* 4. Data minimisation will increasingly be seen as an essential component to data security plans. Companies that have spent years amassing as much consumer information as possible are starting to view this model as more of a boondoggle than a bounty. If the information is of no use, it represents a liability. In 2011, organisations will increasingly turn to data minimisation– limiting the data collected and stored, and purging old data on a regular schedule – as a means to reducing their risks.
* 5. Increased collaboration and openness will increase organisational vulnerability to data breach. Interoperability is a requirement for healthcare entities switching to electronic health records, but other sectors (e.g., education and government) are also increasing initiatives to share and use data on a massive scale. By nature, data in transit is data at risk. In other words, the exchange of data opens organisations up to new vulnerabilities – from lacklustre data security measures at a partner institution to increased propagation of data.
* 6. Organisations will increase implementation of social networking policies. For many consumers, social applications have come to define their lifestyles, and they are increasingly bringing their private lives into the workplace. In fact, mobile devices have created a world of “24/7” employees, erasing the already fine line between work and home. Employers will need to focus and develop an organisation-wide strategy for social networking policies as they relate to data security to ensure that employees do not open the company up to undue risks.
* 7. Data encryption will be seen as a “golden ticket” to compliance. Encryption is often incorrectly positioned as a complete solution to data security. After all, it is one of the best defences against malicious attempts to hack electronic data. And, given the new data protection laws in Massachusetts and Nevada, encryption is fast becoming an essential part of organisations’ compliance checklists. But, to truly ensure all of the bases are covered, companies will have to remember two caveats: compliance doesn’t equal data security and encryption doesn’t equal a total solution – it is only one tool in the data security arsenal.
* 8. Third parties will face more stringent breach notification requirements. HITECH is placing Business Associates under increasing scrutiny, as businesses rely more and more on third party data collection. Expect to see more organisations, even those outside the healthcare industry, placing stringent contractual obligations on their third parties to protect company data.
* 9. Privacy awareness training will gain prominence as an essential component of breach preparedness. Technology fixes like encryption are effective, but expensive, and electronic monitoring alone won’t catch all instances of PII misuse. With comprehensive privacy awareness training, employees can act as privacy advocates who know how to recognise security hotspots, understand legal obligation, and use vigilance whenever they deal with PII. This is the kind of security equity that no technology can buy.
