A combination lock lies on a printout of black and white 1s and 0s with the word “security” in red.Getty Images/iStockphoto
We explore 10 key challenges for business leaders in 2014, with expert commentary on the issues.
When Chris Karram started mortgage and investment firm SafeBridge Financial Group in 2005, he never thought that anyone would want to steal his customers' sensitive information.
He used a basic content management system to store his clients' data and it didn't come with any special security software.
There were some financial sector security regulations he had to follow, but if anyone wanted to hack into his system they probably could.
"There was no real security behind what we were using," he says.
That's changed over the years. While he's never had a security breach, he, like a lot of company owners, has read more and more stories about people going to great lengths to get people's information.
His customers have noticed that, too. In 2006, nary a client mentioned anything about security. Now, he often has to spend time explaining to people why they need to divulge certain details.
"There's a heightened awareness about the ease of accessing e-mails and other information," says Mr. Karram, co-founder and co-CEO of the company. "You can see a growing hesitancy by the Canadian consumer to release personal data."
As hackers get more tech savvy and increasing amounts of data is stored on computers, information security is becoming a more pressing issue for companies in all sectors.
For Mr. Karram, IT security poses two challenges. He needs certain information – the most important being a social insurance number – in order to secure mortgages and investments for clients. He also has to send that information via a computer to other financial institutions.
"Unfortunately, we don't have a way around that," he says.
In some cases clients have been so worried about handing over their SIN that the mortgage process has been delayed. He's never had a client stop the process altogether, but he does spend a lot of time reassuring people that their information is safe.
The more stories of security breaches that come to light, the more Mr. Karram beefs up his own systems. In 2007 he switched to a more complex content management system, which came with better security software. While he didn't buy it for the protection, he was happy it was there.
In 2010, when the company switched to the content management program it has now, Mr. Karram hired an IT specialist to develop a more robust security system. The program uses the same security certificates and encryption methods that most companies use today, but he also added additional layers of protection to the back end system, he says.
He's also changed the way certain data are accessed and stored. For instance, his mortgage agents can only see their own clients' information and as soon as social insurance numbers, driver's licence information and certain other sensitive numbers are sent to a mortgage lender or financial firm, those details disappear.
"We don't actually store that information," he says. "If we need the number again, they'll have to provide it again."
Any information that is kept on hand is backed up to the cloud and every computer has its own separate log-in and password. He can also tell who has logged in to each computer and what information has been accessed and when.
He's also using a less technologically advanced method of protection: a room with a locked door. He keeps loads of documents in the "filing room," and only certain people can get into it.
While he says that his security measures are better than they've ever been, there's always more to do. That's the rub – even with all of those layers of security, customers are still nervous and hackers continue to get smarter.
It may be an unsolvable challenge, but how can he gather sensitive information, know it's completely safe and keep customers reassured at the same time?
"We're 100-per-cent confident in our system, but we know it always needs to be improved," he says. "A breach could have a massive impact on our agents and customers and we're hoping we can continue to find ways to ensure our clients and our team are protected."
THE EXPERTS WEIGH IN
David Skillicorn
Professor in Queen's University's School of Computing, Kingston
It's good that he's deleting the SIN, but you have to think carefully about what deletion means. It's probably still there. If there's malware on your computer, it can look around the system and pick up fragments you thought were deleted.
What's happening now is that people aren't trying to put up ever more fancy walls, but they're learning to live in an environment where they know the system is open. For instance, instead of sending one SIN to the other end, send them 20 with only one being the real one. It's harder to figure out which is the right number.
There's also a technique called "secret sharing," where two people know a piece of information between them and can figure out the right answer together, but neither can figure it out on their own. That makes it harder for someone who randomly intercepts something to determine what's there.
Intelligence organizations have been pushing for this for about five years, but it hasn't received much penetration in business yet, though it's coming. People are realizing that you can't keep putting wall upon wall up, because hackers still get through.
Rohit Sethi
Vice-president of product development at Toronto-based Security Compass Inc.
Things have changed quite a bit over the years. We're more interconnected than we were a decade ago, there's more widespread knowledge on how to hack, and it's a lot easier to do. It's becoming even more important for businesses to protect customers.
There's not one thing that they can do. Security encompasses many things, like having anti-virus software on desktops and phones, having a specific person responsible for information security, using encryption technology to store data. But the key is building a security program that aligns with the business's needs. They have to ask themselves, "How can someone hack into the software?" and then they can build in controls to prevent those specific hacks.
It's also important to be constantly monitoring for a breach. There are entire categories of security tools that can let you know if you're being attacked.
Expert comments have been edited.