In addition to being the Chief Technology Officer of High Tower Software, I am also the Chief Information Security Officer. The latter of these roles is often much more intensive and time-consuming than I originally envisioned. The good news is that I have laid a lot of the groundwork for our ongoing security practice and have had phenomenal support from High Tower’s senior management. The bad news is that there is never enough time to do all the things that I would like to do to grow our information security program.
Being a security manager also involves many so-called wake-up calls, events that happen that take you by surprise. One of my wake-up calls began last summer. High Tower outsources its payroll and some of its HR functions to a large administrative services provider. Last summer all High Tower employees were required to complete training concerning harassment on the job; to do so, each employee had to hit a link on the service provider’s Web site. To obtain a password, however, employees had to first enter their Social Security numbers. When I learned of this, I contacted the service provider to express my concerns. My inquiries were bounced around from one manager to another until they somehow ended up in the hands of a product manager who worked in services technology. He assured me that there was really no danger in requiring that employees enter their SSNs. That was red flag number one. When I replied, protesting that phishing threats are one of today’s major security threats and that forcing employees to enter personal information effectively set them up for phishing attacks, I received no further reply.
Just today I received a phone call from a High Tower employee who informed me that she had recently received a letter from the service provider saying that her SSN and other personal information were on a laptop that was lost. She was assured, as I was previously, that there was really no danger that resulted from this incident, but nevertheless the service provider offered her free credit monitoring services for one year. That was nice, but I fear that this company is totally missing the point when it comes to information security. Frankly, I am nervous about doing business with this company because of its obvious lack of due care in these security matters. High Tower works hard and invests a considerable amount of resources to ensure that its computing environment and data therein are safe. This service provider in effect comprises a weak link in High Tower’s practice of information security.
I wrote a message to the service provider pointing out the deficiencies in its practice of security and asking not only that it cease requiring that SSNs be entered for users to obtain passwords, but also that this company will no longer store our employee data on laptop systems. I am waiting for a reply. Hopefully, this service provider will have its own wake-up call and will start addressing the deficiencies I have identified. If not, there is no question in my mind that I will press for dropping this company as our administrative services provider. Security counts. Services that are delivered without suitable security are not acceptable. And I predict that in the future there will be more companies such as mine that will notice security deficiencies in provided services and do something about them—press for change or change service providers altogether.