America’s telecommunications companies have become some of the country’s biggest repositories of sensitive personal information, far more than most customers and even some company executives likely realize.
These companies’ records typically include such information as customers’ credit card information, Social Security numbers, phone numbers and addresses, making it ever more important for them to protect the vital and valuable data with which they are entrusted. Therefore, it is critical for telecommunications companies to remain vigilant and continue to improve their information security programs to reduce the risk of exposing their customers’ data to prying eyes.
Many telecommunications organizations have worked to improve their data protection, but lapses still may occur at every level, involving everything from software security standards to employee training. Meanwhile, state and federal officials are moving to require improved precautions and mandatory notification of customers and regulators when personal information is released improperly. Ultimately, companies that fail to safeguard their customers’ private information may find themselves facing huge liability claims, fines and a devastating loss of consumer confidence.
In discussing ways to enhance protection, it can be helpful to look at data security as having three concentric circles.
The Outer Ring: Your Network Perimeter
The outermost protective ring is a company’s network perimeter, including network gateways. These systems are designed to establish a logical barrier to all external communication, including firewalls and intrusion detection and monitoring systems.
Few companies have the level of network connectivity — and therefore the vulnerability to attack — that telecommunications companies do. Paradoxically, the very openness required for them to serve their customers may leave them exposed to constantly changing threats created by unscrupulous software coders. All this means telecommunications companies would benefit from robust security controls to reduce the likelihood of unwanted intrusions.
Authentication controls (such as passwords) are often a company’s first line of defense against intruders, and there are two elements to password security: complexity and frequency of required change intervals. Complexity may include such factors as length and a mix of letters, numbers and other characters. Easily guessed passwords (variations of dates, months and the user’s name, for example) generally should be avoided. As for frequency, the more sensitive the system, the more often the password should be changed.
In addition to authentication controls, another valuable monitoring control is an intrusion detection system that logs every attempt to pass through the network perimeter and actively seeks out signs of would-be intruders. An effective intrusion detection system can detect deviations from normal operating patterns that may indicate an attack is under way, giving network administrators the opportunity to react before serious damage is done.
The Middle Ring: Business Applications
The middle ring comprises security features included in a company’s business applications. This proprietary software lets telecommunications companies enroll customers, bill clients and pay employees, but many such business-applications may fail to include appropriate security protocols, such as requirements for strong password regimes or segregating data to restrict employee access. To help ensure data protection at the business applications level of a companies’ most sensitive billing, personnel and customer-storage files, telecommunications companies first should adopt vigorous password protection and updates. A second strategy in this area is data segregation. Historically, many companies consolidated customers’ records and made them readily accessible to a large number of employees to facilitate billing and customer service. But the potential to abuse such open access has prompted many companies to segregate data more aggressively and give employees access to only information they truly require to perform their roles.
The Inner Ring: The Human Element
The inner ring — and the one that most often is overlooked — is the human element, that is, a company’s employees and representatives, including contractors in areas such as call centers and customer service. Insiders have tremendous opportunity to compromise customers’ privacy and security, and in many ways, this area can be the most difficult for telecommunications companies to address.
Greg Bell |
B.A.Boit |
Carl Geppert |
For example, high employee turnover rates can make training difficult, and call center and customer service employees may be vulnerable to criminals willing to bribe them for access to information. In response, some companies are conducting background checks before providing access to sensitive information. Background checks won’t prevent all abuses of sensitive information by insiders, but they can help telecommunications companies screen out high-risk individuals with histories that indicate they may not be trustworthy.
An additional way to address security with insiders is to make sensitivity about privacy a core element of the corporate culture. Executive speeches, seminars, newsletters and e-mail can be a part of a company’s efforts to sensitize employees to the importance of protecting customers’ private information. From the executive suite to call centers, concerns about privacy should be part of a company’s culture and be incorporated into a code of conduct program with regular employee training.
While no protection system is perfect and unbreakable, companies that demonstrate they have performed due diligence and implemented accepted leading data-protection and customer-privacy practices may be more successful in defending themselves from security breaches and subsequent legal or civil actions. Telecommunications companies likely can benefit by adopting many of the same technologies and audit-trail processes being used by other customer-centric industries, such as retail banking and health care providers. With federal regulators and state legislators from a majority of states considering the adoption of tougher mandates on American companies, protecting privacy clearly promises to be a key business challenge for years to come.
Greg Bell is principal and national services leader of privacy and continuity; B.A Boit is managing director for forensic technology services; and Carl Geppert is partner and industry sector leader at KPMG LLP.
| Links |
| KPMG LLP www.kpmg.com |
