Over the years, while customer communications management (CCM) systems continued to expand with new features and capabilities that enhanced the customer experience, security was not always at the top of the list. Traditionally, when implementing security measures for business-critical documents, security fell under a “fortress mentality,” which meant we hardened the network perimeter and counted on the systems that were being implemented to also provide the protection our business documents required. We believed that our customers’ information was safe inside the firewall.
However, this confidence began to erode when, in 2013, Target announced that data from as many as 70 million credit card and debit card accounts had been stolen. Equifax was also in the news a few years later due to a data breach that impacted the personal information of approximately 147 million of its users. And just this past year, in one of the biggest data breaches ever, a hacker broke into a Capital One server and gained access to more than 100 million Capital One customer accounts and credit card applications. We have witnessed the repeated failure of architecture that we counted on for protecting a business from a security breach. Traditional firewalls and corporate security protocols were proven insufficient. Data needed to be protected at the data level. Suddenly, data security — the processes and technologies used to safeguard data — rose to the top of every company’s concerns.
There is a plethora of customer data within an organization that can fall into the hands of cyber-thieves. They include customer lists, detailed financial statistics, credit card information, confidential healthcare data and more. Customers come to companies with an expectation that their data will be kept secure. The challenge in doing so is that data security is an ever-changing challenge. Security hackers have become more sophisticated, making it critical to continually ensure security policies are up-to-date and effective. As a result, it comes as no surprise that enterprises and print service providers alike are investing in technology and other solutions to address security concerns and close any security gaps.
In assessing your CCM processes with security in mind, an initial step is to assess where your gaps are and what you need to do about them. Once you diagnose the potential vulnerabilities within your systems and processes, you can then develop a formal risk mitigation plan that addresses identified areas for improvement. Here are four things to consider as you develop a plan:
• The number of people or systems touching the data in the document process
While you can’t monitor every touchpoint, it is important to put safeguards in place that reduce workflow steps in order to limit interaction with the data. Technology today makes it possible for data to be embedded into the file and remain encrypted while being processed throughout the entire workflow. Additionally, finding a way to integrate closed-loop protection with multi-factor authentication controls from file receipt to output management will protect the data at the production level and reduce the opportunity for human error. Proper malware detection and protection software, as well as 24/7 network monitoring, will also help ensure data is protected at all times.
• The secure distribution and access of sensitive data
As the workforce grows more mobile, your plan needs to include methods for securely delivering communications via multiple delivery channels. Today’s customers expect quick and easy access to their documents. On the flip side, enterprises and service providers that work in the insurance, healthcare and financial services industries have been held back from sending these sensitive customer communications electronically due to stringent privacy requirements. Keeping data safe when sending sensitive documents on mobile devices requires the ability to share these documents with as little friction as possible. It is important to find solutions that offer full tracking capabilities for proof of delivery and proof of access, as well as auditing capabilities that ensure access only by the intended recipient.
• The compliance regulations important to customers
Regulations such as HIPAA, PCI, FISMA and SSA16 each address an industry’s unique privacy requirements for the type of data they maintain. It is important that your risk mitigation plan includes specifics for handling these regulations. Enterprises and third-party service providers can pursue certifications that ensure a security program functions at an optimal level; most security certifications require that companies implement risk management and other security controls as part of the assessment process. Companies that store credit card information on their processing systems, for example, should maintain PCI certification overseen by the Payment Card Industry Security Standards Council (PCI SSC) as it requires businesses to maintain seven critical security controls. HITRUST certification is another option for businesses that handle protected health information, giving customers the added assurance that your business is able to address rigorous HIPAA standards.
• Disaster recovery and emergency preparedness
Sadly, ransomware is here to stay, and it is a growing threat. This malicious software locks and encrypts a computer or device’s data, then demands a ransom to restore access. Your risk mitigation plan needs to include recovery options for when (not if) this happens. An incident response plan should identify the chain of command and contact information for team members, as well as procedures for responding to different levels of data breaches, and to whom they should be communicated. Most importantly, it is your online system that will most likely be affected by ransomware; it is critical to have an offline backup of information that is not accessible via a network, thus allowing you to restore normal business operations should a ransomware attack happen.
While businesses in the insurance, healthcare and financial services industries are closely regulated in terms of privacy and security, the security practices of any company that regularly works with customer data needs to be strong and ongoing. It is important to implement the most up-to-date data security solutions to mitigate the risk of security breaches and to continually monitor and improve your systems’ security processes, identifying and closing any gaps. Another benefit of having strong security initiatives in place is that it demonstrates to your customers that protecting their data is a top priority, which can be a deciding factor for them when doing business with your company.