I just recently wrote an article about relocation security breach potential. As it happens I also went to the Data Security Session at this year’s ERC in Chicago and was very disappointed in the quality of the content. In the audience there were Human Resources, Relocation Service providers and Destination Service providers. There were great speakers coming from the data security side of the equation and an equally talented speaker coming from the Global Mobility perspective.
They gave great tips about the “human” side of data security: improving passwords, how to avoid clicking on phishing links, how to recognize phishing links and others. For instance, they discussed how advertising related jump drives could end up bringing ransomware into your company. They discussed putting together good data security checklists and bringing good data security training practices into your company.
So, with all of this great content, why was it disappointing? Because so much more was left unsaid. Data security is definitely about human practice, but it is also about the work of IT professionals and crucial systems to protect you from attacks. By solely focussing on the human side they misrepresented how hard it is for companies to protect themselves. They made it feel like good “human” policies could prevail. THEY CAN’T DO IT ALONE. Sophisticated monitoring software, specialized security professionals and SIEM aggregation are requirements, not luxuries.
Good Question – maybe the Question
One member of the audience asked a question about how he could know whether his downstream vendors really were abiding by his security contract and the obligations it entailed. The answer was that you could not test them all, and that whether or not to test a particular vendor was a risk management decision. In short, if you felt that this form of vendor (let’s say Movers) carried fewer bits of personal and private information, you would not test them, but if you felt that another form of vendor (let’s say immigration or destination services) has highly private information, you could test them. Is this a good enough answer for those whose privacy is being entrusted to us? Everyone can be tested. Security is like a back-up. If you don’t test it regularly you can’t rely on it. The relocation industry today is working from the base of willful ignorance about whether or not its downstream vendors have the appropriate security measures in place. Many do not. These security measures costs many, many thousands of dollars to implement, and there are some vendors at different levels of the relocation stream that do not have the resources to come up with such security measures. This is not to chastise those vendors. We have let this come to pass, where some vendors have low enough margins that the security bar is too high for them to get over.
What can we now do about it?
We have to educate our clients that security comes at a high cost, so they can be aware that downstream vendors’ fees may need to go up. Will this happen? Don’t hold your breath. The economic model for relocation is a lot stronger than the security model, and low fees will be victorious over better security, until there is a damaging data breach incident. However, without proper protection in place, most data breaches will go undetected until the data becomes public
Relocation management companies and in-house mobility teams can test all levels of vendors who hold private information and ensure that they are secure. But they most hold the bar high as to what constitutes private information, and who actually holds it. Without doing so, we are all doing a disservice to those relocating employees who have entrusted us with their private information.
Of course, everyone has to know the law around data breaches in order to comply with those measures, so we link to them here. Vendors who ignore the law or who are willfully ignorant of it are taking this risk not only upon themselves (in terms of huge fines), but also at their clients’ expense.