- change ups
Security Focuses On Innovations
GRAND RAPIDS — There are all kinds of security issues in the world of business: individual health and safety, physical property security, data security, legal liability …
One thread now ties them all together, and it's an electronic thread.
Advances in technology have resulted in an "area of convergence," said Thomas Hines, which dramatically increases the overall challenges of security at many companies and organizations today.
Hines, president and CEO of local security consulting and technology development firm SecureMatrix, and co-founder of the Michigan Homeland Security Consortium, said that convergence is the point where physical security is linked to other systems within an organization. A major example is "smart cards," which Hines predicts most employees will be carrying within five to seven years.
Smart cards are essentially “a computer on a chip in a card," said Hines. Many employees today carry a magnetic card they swipe at scanners to gain access to buildings and parking lots, but a smart card is much more than that. It's a little computer carried in a wallet or purse, segmented to contain data that provides varying degrees of access to buildings, parking lots and computer networks, and sometimes data about the company and the employee, and perhaps even access to financial accounts.
Hines noted that because technology is so intricately intertwined with security issues at many organizations, the accounting firm of Plante & Moran now has a security expert whose focus is solely on IT. Raj Patel, who works out of the firm's Southfield office, is a certified information security manager and heads that function throughout the three Midwestern states where Plante & Moran does business.
In IT security, said Patel, there are two major issues: loss of data and access to data. It doesn't matter how or why the data was lost — or whether it was a deliberate theft or an accident, said Patel. The impact is the same: The company is required by federal law to inform anyone whose confidential data may be compromised. That includes data that could result in a financial loss to the individual (misappropriation of credit cards or bank accounts), and also data about the individual's medical history.
A company that lost a customer's credit card number may have to pay for monitoring that customer's credit rating for years to determine if anyone is attempting to steal the individual's identity for fraudulent use. Patel said that cost could be $100 a year for each customer, plus legal fees.
That doesn't sound like too much of a penalty, until one considers the potential extent of a major data loss.
"The granddaddy of them all," said Hines, was the theft in 2006 of 45 million customer credit and debit card numbers stored by TJX Cos., a major retailer that includes T.J. Maxx, in Framingham, Mass. That loss will be in "the hundreds of millions of dollars and counting," said Hines. The previous record-holder for lost data was a security breach at CardSystems Solutions in 2005, where 40 million customer records were lost.
The complex capabilities of electronic technology today are virtually unfathomable to the average person, so much so that even years after the event, the experts are still not sure how the TJX Cos. data was stolen, said Hines.
In mid-June, three former employees of the Tropicana Hotel and Casino in Atlantic City, N.J., were indicted for allegedly stealing computer data, specifically information on more than 20,000 of the casino's top players, including contact information and gambling history. That information could potentially be worth millions of dollars to another casino.
There seems to be thorough insurance coverage for every possible business contingency, with the possible exception of a major loss of data, said Patel.
"It's a new area," he said, adding that there is not a mature product yet in the insurance industry for data theft or loss.
"The insurance companies haven't really figured it out yet," he said.
Data loss gets all the headlines, but the second major issue in information technology security can be equally devastating to a company. That is loss of access to data in the event of a natural disaster that knocks out the electricity — or even an entire building.
Patel noted that his own region in Southeast Michigan lost power in June for a couple of days due to storms. He also mentioned the tornados and floods that have struck the U.S. recently.
"All those (natural disasters) raise concerns about the availability of systems and data," said Patel. "If their systems are down, most companies can't even operate today."
Many clients of Plante & Moran are interested in business continuity plans, said Patel. There are two types of solutions for continuing business functions: a backup power source, or an alternate facility with a redundant IT system.
The first step in setting up a business continuity plan, said Patel, is to do a thorough assessment to determine the "maximum allowable downtime" of that company's IT system. Just having a backup electrical generator may not be sufficient in the case of a flood or tornado that destroys a building. If the critical amount of downtime the business can survive is less than 24 hours, he said, then that company probably needs to have a redundant system somewhere else, ready to go in an emergency.
Another intriguing convergence of technology and security issues is in building management and the physical security of personnel, according to Hines.
Automated building management systems now can turn down or turn off lights that are not needed.
"That's commendable from an environmental and cost-saving standpoint," said Hines, noting that LEED construction standards more or less demand a reduction in lighting.
"But then you have to ask yourself, can our security work? Can it interface so that (the system) recognizes that an employee is still there?” And does the lighting come up for the safety of an employee leaving after dark?
"Your No. 1 asset in any company is your people, and the sad truth is that your people are at risk in a lot of ways that business doesn't anticipate," he said.