This action might not be possible to undo. Are you sure you want to continue?
The journal of high-performance business
How secure is your confidential data?
By Alastair MacWillson
A company’s approach to data protection and privacy should be more than legally compliant. It must be a core part of both the organization’s business value proposition and its culture, as well as global in scope. Here’s how it’s done.
Data protection has quietly passed a tipping point. Although some leading organizations—especially in Europe and North America—have made significant strides in securing sensitive data, many other enterprises are slowly awakening to the reality that they are lagging in their data protection efforts. Confidential data—including customer information, business plans and financials—has become one of every organization’s most important assets. Yet technology advancements, new business models and increasingly sophisticated and globally interconnected business processes have outpaced not only regulations designed to ensure the privacy and protection of personal and other data but also many organizations’ own ability to effectively secure sensitive business information. The resulting shortcomings, in critical areas ranging from employee training to technology infrastructure, have made organizations in both the private and public sectors extremely vulnerable to security breaches and the misuse of sensitive data, even as awareness of data privacy and protection issues has increased among business leaders, regulators and consumers. And there’s more at stake for these organizations than regulatory fines; as several highprofile data breaches over the past
few years have shown, reputations and businesses can be ruined by inadvertent disclosures of customer or other confidential data. As the volume of data businesses collect, store and analyze increases exponentially, many executive teams find themselves in a precarious position: They can no longer assure customers that their personal information is safe from misuse. “No matter how good a company is [at protecting data], there’s always a possibility that information will leak out,” says Larry Ponemon, chairman and founder of the Ponemon Institute, a US privacy and information security research group. “Companies can never say the data they collect about you is perfectly secure. But they can be good at managing or mitigating the risk.”
Intentions versus reality
Given the importance of the issue, Accenture set out to study the current state of corporate data protection and privacy. In two separate global surveys, we polled 5,500 business leaders and more than 15,000 adult consumers in 19 countries. Our objective was to understand how perceptions about data protection and privacy—from both business leaders and individuals—inform and influence data protection practices. Our research revealed important findings in five key areas.
There is a notable difference between organizations’ intentions regarding data privacy and how they actually protect it. This discrepancy creates an uneven trust landscape, which makes it particularly difficult for those doing business to trust that their data is being used by their counterparties in accordance with their expectations.
Although approximately 70 percent of business respondents in our survey agreed that organizations have an obligation to take reasonable steps to secure consumers’ personal information, there were several inconsistencies in their stated obligations about doing so.
For example, 45 percent of the business respondents were unsure about or actively disagreed with granting customers the right to control the type of information that is collected about them, while 47 percent were unsure about or disagreed with customers having a right to control how this information is used. Nearly half did not believe it was important to limit the collection and sharing of sensitive personal customer information, protect consumer privacy rights, prevent cross-border transfers of personal information to countries
with inadequate privacy laws, and prevent cyber crimes against consumers and data loss or theft. There are several possible explanations for this inconsistency, including industry differences in the approach to data protection, cultural or regional differences, the lack of organizational accountability for security policy, and the fact that some companies focus on meeting compliance targets rather than on orchestrating a comprehensive data protection and privacy program.
A majority of companies have lost sensitive personal information, the biggest causes of which are internal errors and other things the company could potentially control. This suggests that accountability for and ownership of sensitive data are not being properly addressed in many organizations.
Fifty-eight percent of business respondents said their company had lost sensitive personal information, and nearly 60 percent of those who’d had a breach said that data loss is a recurring problem. Thirty-one percent of those businesses said they’d had three or more instances of data loss in the previous 24 months. Among these companies, the biggest causes of data loss are internal— problems presumably well within their ability to detect and correct. Business or system failure (57 percent) or employee negligence or errors (48 percent) were cited most often as the source of the breaches; cyber crime was cited as a cause of only 18 percent of the security breaches. These findings belie common assumptions that external forces are the biggest threats to privacy and security. But they are consistent with reports of major breaches caused by employee error. In one case, a mobile phone operator lost a disk containing data on 17 million customers; in another, a European government’s national tax office mistakenly sent out CDs containing confidential information about nearly 4 million people to the country’s newspapers, radio stations and television stations. There are several contributing factors to these internal vulnerabilities, none of them outwardly malicious but all of them troubling. They include insufficient training, inadequate controls and incomplete mapping of internal data flows (see sidebar, page 5). Ongoing innovation in areas such as data storage and mobility are compounding the challenge. Portable devices are getting smaller, can hold more data, and can seamlessly connect to servers, networks and other portable devices, literally putting more power—and more data—into the hands of individual users.
“People expect absolute, almost immediate access to anything they want at any time,” says privacy expert Ponemon. “That requires security to be nearly invisible. Anytime that security requires you to wait is unacceptable to people;
many will try to avoid the delay. The right data protection processes, controls and technologies can help prevent this situation in the first place, providing effective security that enables business productivity, rather than hampers it.”
3. Regulatory compliance
Many organizations believe complying with existing regulations is sufficient to protect their data. However, such a mindset is dangerous given the fact that regulations generally are not sophisticated enough for today’s business environment. What’s more, the regulations are not consistently or equally applied across industries and countries.
Although nearly 70 percent of respondents said they regularly monitor privacy and data protection regulatory compliance requirements, data breaches have nonetheless occurred in 58 percent of organizations polled. Even more intriguing—or worrying— is the fact that more than two-thirds of businesses in Europe, where privacy regulations are most stringent, admitted that they’d had a data breach incident in the past 24 months, and nearly half of these companies have had two or more such incidents. These findings indicate that simply complying with existing regulations and laws is not enough to fully protect sensitive data. The current spectrum of regulations clearly cannot account for all possible problems that could emerge given the rapidly increasing volume of data that organizations collect and the complexity inherent in how such data is accessed and used by organizations.
4. Third parties
Companies should be careful about the company they keep. It is crucial they understand the perspective on and approach to data protection and privacy taken by their third-party partners.
Fifty-five percent of the companies in our survey outsource the collection and/or processing of personal information about customers. Because safeguarding client information is one of every company’s most fundamental and important responsibilities, it is essential to scrupulously maintain the trust that forms the cornerstone of relationships between companies and their outsourcing providers.
own data protection and privacy program to ensure that it meets or— better yet—exceeds their own efforts but also of its knowledge of and experience with managing data within and across national boundaries. For their part, outsourcing providers must operate a comprehensive global client data protection program that provides a standardized, consistent approach to protecting their
(Continued on page 6)
Companies must conduct a thorough assessment not only of the provider’s
Does your company have a data security problem?
Before you answer, consider this: Despite the popular perception that breaches in data security usually have external causes, the most common culprits are internal, often the result of business or system failure or employee negligence. Among them: • Insufficient training programs. Internal education is crucial to set common standards and practices employees can use to deal with sensitive data. Yet only 56 percent of companies surveyed said it was important or very important to even have policies about privacy practices. • Inadequate controls. Often, employees simply have too much access to sensitive data. For instance, nearly half of the companies in our survey said limiting the collection and sharing of sensitive personal information was not important, sometimes important or irrelevant. Most telling, just 19 percent of businesses said it is never acceptable to sell personal information for profit. • Incomplete mapping of data flow across the organization. As the amount of sensitive data collected grows exponentially, it is often difficult to track all the areas in which such data is generated, collected, stored and used. Nearly 30 percent of the companies in our surveys said they either did not know or were unsure of where personal information about customers and employees resides within the organization’s IT enterprise. • Insufficient technology intervention. Human error is inevitable. Yet organizations are not doing enough to implement technical tools that prevent employees from taking an action that will compromise an organization’s data security.
Internal issues—rather than cyber crime or malicious intent— are the most frequent causes of security breaches.
System or technical glitches
Negligent or incompetent employees
Business process failures
Negligent or incompetent temporary employees or contractors
Source: Accenture analysis
More than half of the 5,500 company executives surveyed report that their company had lost sensitive information.
Did your organization ever lose sensitive personal information?
Yes No Can’t recall
Source: Accenture analysis
(Continued from page 4)
clients’ data. This program should cover all critical elements of data protection and privacy, including employee training, regular monitoring and auditing, oversight, appropriate and timely responses
in case of a breach, enforcement and discipline for inappropriate actions, and strong preventive measures to stop breaches. It must understand and comply with both industry regulations and data privacy laws in the countries in which it and its client operates.
Companies that exhibit a “culture of caring” with respect to data protection and privacy are far less likely to experience security breaches.
The 31 percent of business respondents who said their company had not experienced even one security breach in the past two years demonstrated some substantial differences from the companies that did lose data, in terms of their attitudes and policies regarding data privacy and protection, as well as in what they considered acceptable uses of personal data. In general, our analysis indicates that those companies with no breaches seem to exhibit an overall “culture of caring” with regard to sensitive data and a conviction that they are not owners of such data but, rather, stewards whose responsibility is to protect and safeguard that data. These companies tend to believe that consumers have substantial rights to manage, correct
More than half of the 15,000 adult consumers surveyed believe that customers have a right to control the information companies collect about them.
Consumers have a right to control information collected about them and their family.
9 23 17
Strongly agree Agree Unsure Disagree Strongly disagree
Source: Accenture analysis
and control information collected about them and to understand how such information is being used. Additionally, the “no breach” group was more likely to feel a stronger obligation to maintain data protection and privacy—for instance, by taking reasonable steps to secure consumers’ personal information, control who has access to such information, disclose to consumers how their personal information is used, and help consumers if the enterprise loses their personal information. In addition, companies with no breaches tend to have policies that value the protection of sensitive data and how such data is used. For instance, no-breach companies are more likely than companies that have had breaches to know where personal information on customers and employees resides within the organization’s IT enterprise (75 percent versus 66 percent). This understanding enables these orga-
nizations to more effectively protect data across the enterprise. It is clear that organizations today have an urgent need to take a more proactive approach to data protection and privacy, not only to minimize the risk of major fines for non-compliance but also to avoid breaches of sensitive personal data that can alienate customers and destroy brand credibility.
A global standard
Government and corporate leaders should work together to create a global standard that is based on a thorough understanding of the data privacy and protection ecosystem and that assigns accountability appropriately across key stakeholders: organizations, individuals and regulators. The standard should provide prescriptive guidance on what data must be protected, who should be provided access to the sensitive data under what circumstances, and how to protect the data based on sensitivity and classification levels.
At an individual organization level, enterprises should create a “culture of caring” with regard to data protection and privacy. Companies have shown that this approach is not just good for compliance; it’s good for business. “We’ve seen organizations that have made privacy and data protection a strategic initiative,” says Ponemon. “They view privacy as a way to engage consumers and increase their reputation and brand in the marketplace.” There are six tangible steps companies can take to begin creating such a culture. 1. Assign ownership of and accountability for data protection and privacy. Diffusing responsibility for data protection and privacy across multiple functions contributes to an environment conducive to failures and breaches. Organizations that want to become good stewards of sensitive data should bring the people or functions responsible for specific aspects of protection and privacy—technology, policies, procedures, regulations and laws—together to ensure that the organization approaches these issues in a comprehensive and coordinated way. In some cases, it may make sense to establish a data protection and privacy council, comprising stakeholders from across the business, to oversee how sensitive data is managed and used and to ensure continuous improvement of the enterprise’s security posture. 2. Develop a more effective and comprehensive governance program for data privacy and protection. A robust and comprehensive data protection and privacy governance program can help an organization clearly delineate how data is collected, stored, managed and used, as well as who is allowed to access and use which data.
that the necessary level of protection is being provided. Because today’s computer incident-response technologies often do not generate adequate insights from prior breaches—thus impairing proactive risk management—companies should reevaluate their installed base of such tools and consider enhancing or replacing them. Importantly, because technology alone does not prevent potential information loss, it must work in concert with a data governance framework and standards. 4. Build a consistent level of awareness of the importance of data protection and privacy among the workforce. It is increasingly important for organizations to create more comprehensive and robust workforce education and training programs that give all employees a consistent and common understanding of the organization’s established data protection and privacy policies and procedures and specific guidance on how to adhere to them. 5. Reexamine data protection and privacy investments. Few organizations have a true enterprise view of their security investments. This not only prevents them from understanding the “true cost” of security, but it also keeps them from being able to reallocate investments as necessary to areas of high priority. An organization should have a balanced investment in data protection and privacy, considering all key aspects of the issue: people, process and technology. 6. Choose business partners with care. Partner with companies that take equal or greater care with data. Rigorously assess their knowledge, practices and experience in managing sensitive data across organizational and national boundaries in accordance with local privacy laws and industry regulations. Remember: You are judged by the company you keep.
3. Evaluate current data protection and privacy technologies to confirm
Tallying the true cost of security breaches
In the United States alone, more than 339 million records containing sensitive personal information have been involved in security breaches since January 2005. Such breaches can have serious implications. Erosion of shareholder value. Research has found that a stock price typically drops by approximately 5 percent after a breach of confidential information is made public. A separate study showed that companies announcing an Internet security breach lost approximately 2.1 percent of their market value in the two days following the announcement of the events—an average loss of $1.65 billion in market capitalization per incident. Loss of trust. The Ponemon Institute, a US privacy and information security research firm, estimates that approximately 3.6 percent of a company’s customers stop doing business with the company after a security breach. The churn rate is even higher in certain industries, including health care and financial services.
Organizations are becoming more reliant than ever on data to run their business. But as the amount of data grows, policies and approaches for ensuring the safety and confidentiality of that information are falling behind. Companies need a more comprehensive approach to data privacy and protection, one that closes the gaps between business strategy, risk management, compliance reporting and IT security. A company’s approach to data protection and privacy should be more than legally compliant—it should be a core part of both the organization’s business value proposition and its culture. It should also be global in scope. All employees must understand this “culture of caring” and that they are accountable for safeguarding information. And as organizations innovate around new business models and technology to gain or maintain competitive edge, they must be equally aggressive in innovating around the data security issues that these advancements introduce.
About the author
Alastair MacWillson is the global managing director of Accenture’s Security group and works with clients worldwide on issues relating to enterprise security, data and information security, cyber security, risk management and privacy. He has 18 years of experience in security and technology consulting and has advised major companies and governments worldwide on strategy, standards practices and technology. Dr. MacWillson, who has written many articles and papers on security, is a regular presenter on security and risk at major industry conferences. Prior to moving into consulting, Dr. MacWillson spent 16 years with the UK Foreign Service and enjoyed postings in the Middle East, Moscow and Washington, DC. He is based in London. email@example.com
Outlook is published by Accenture. © 2010 Accenture. All rights reserved. The views and opinions in this article should not be viewed as professional advice with respect to your business. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. The use herein of trademarks that may be owned by others is not an assertion of ownership of such trademarks by Accenture nor intended to imply an association between Accenture and the lawful owners of such trademarks.
For more information about Accenture, please visit www.accenture.com