Willie Sutton was a famous U.S. bank robber. When asked why he robbed banks, he responded by saying, "because that’s where the money is". That logic and answer can be applied to all types of data security incidents. Often times, what makes a given system a target is because, "That’s where the data is, which means that’s where the money is."
Now the fact of the matter is, money is not the only reason for breaches. Companies can be targets for many reasons including simple or competitive maliciousness. The "Sutton" principle still applies, though, because concentrations of data and, more importantly, concentrations of valuable data, create targets. We see this played out in many of the high profile security breaches.
Recently, Epsilon, which manages e-mail marketing campaigns, was broken into and e-mail addresses were stolen. This event triggered several inquiries to me as to whether or not inContact utilized Epsilon for any of our e-mail services… We do not, and therefore, the Epsilon event did not result in the compromise of any inContact data.
That event also evoked questions about how inContact protects its customer’s data. Now that’s a long story in the telling, but I can short list some of the best practices that we follow.
- Do not keep unnecessary data. inContact has many tools that allow our solutions to consume data without storing it on our system. If at all possible, we make every effort to not store customer information on our systems.
- Minimize data concentrations. I cannot provide the proprietary specifics, but inContact is able to segment data to prevent the concentration of all customer data in one place.
- Secure connections and session timers.
- Encryption of sensitive data.
- Technical controls such as firewalls, intrusion detection, physical accesses and password controls.
- Code security that addresses threat vectors such as SQL injection, XSS and buffer overruns.
- Vulnerability scans and penetration testing.
- Internal controls and separation of duties for inContact employees.
- Regular internal audits of inContact's own internal controls and user access.
- Vendor and 3rd party security reviews.
- Security Awareness training for all employees.
- Anti-virus and patch management.
- SAS70 and other external audits.
These are some of the things inContact does to secure information within its environment.
Regulators often focus on specific data types such as PII, PCI, HIPAA, etc. The fact of the matter is, all of our customers’ data is important, regardless of whether it fits into a specific regulatory category or not.
At inContact, we know that all of your data is important to you, and it’s important to us.