Data breaches are becoming bigger and more common every year, yet many organizations remain reactive and move to protect their data only after a breach has occurred. That’s not the case with nonprofit Educational Testing Service, based in Princeton, N.J., which prides itself on its proactive approach to IT security.
Marcus Prendergast, a senior security engineer at ETS, describes how the company developed a strategic, centrally managed enterprise data protection strategy—including data-loss prevention solutions such as encryption—that enabled it to prevent data breaches, save money and teach employees how to better protect corporate data.
During its 62 years, Educational Testing Service (ETS) has always been committed to protecting its customers’ personal information. That’s why, after two major companies recently made headlines with serious data breaches, we moved aggressively to implement enterprise mobile device encryption solutions to help ensure that our reputation for proactive, effective IT security remained intact.
ETS is best known for the tests we administer, but we are an intellectual property organization at heart. Our value is in our assessments and the customer data we keep.
ETS develops, administers and scores more than 50 million tests annually at more than 9,000 locations in more than 180 countries. These tests include the GRE (Graduate Record Exam) and TOEFL (Test of English as a Foreign Language), as well as the College Board’s SAT-I and SAT-II exams. Accordingly, we have a large data footprint that keeps growing—currently by about 50 million new records a year.
We take our stewardship of customer data seriously because our business is based on trust—trust that our tests are fair and valid and that people can safely share sensitive personal and financial information with us. Data security is an essential part of maintaining that trust: We don’t want customers to wonder whether our company can protect their data and thus question other aspects of their relationship with us.
More importantly, data falling into the wrong hands through a data breach can ruin customers’ lives and threaten a company’s reputation—and even its existence. We want to avoid that at all costs.
Cases in point: In July 2008, pharmaceutical titan Bristol- Myers Squibb confirmed the theft of an unencrypted backup tape of personnel data. So far, no one appears to have accessed the data, which may number up to 40,000 records.
Last January, Heartland Payment Systems, a credit/debit card payment processor, revealed that it had received reports of fraudulent activity from transactions corrupted by malicious software. The hack may have compromised tens of millions of transactions, and the firm is spending a fortune to fix this mess.
That’s because the average cost of a data breach continues to increase yearly, with an average cost per customer record of $202 and a total average per-incident cost of $6.6 million, according to the Ponemon Institute’s “2008 U.S. Cost of a Data Breach” study.
These reports prompted a member of the ETS board of directors to ask about our company’s security practices. ETS had solid network security, but we needed greater data security, particularly for the 1,500 laptops our employees use.
The IT security team used that opportunity to take additional steps to prevent data breaches. We sought to replace pockets of unmanaged data security solutions with a strategic, proactive, centrally managed enterprise data protection strategy, which included data-loss prevention solutions such as encryption.
A Proven Solution
We believe that one of the best ways to protect data against unauthorized access or use is to encrypt it, making the data unreadable to thieves, hackers and other unauthorized users. But we required a proven, standards-based encryption solution that was built to last, and we didn’t want to worry about different products working together.
The product had to be easy to use, or else our employees and partners might circumvent it. Also, we wanted to manage enterprisewide deployment centrally, with the ability to meet current and future data protection needs.
At the time, the provider that hosted our IT security solutions secured only part of the hard drive and operating system with its hard-disk encryption solution. This required our users to save data to certain areas on their computers. We wanted
to encrypt the entire hard drive to free employees and partners to concentrate on their jobs.
We reviewed solutions from four vendors and decided that PGP’s outpaced the others in terms of product quality, market longevity and meeting our specific needs. So we chose PGP Whole Disk Encryption to protect mobile data on our laptops and PGP Universal Server to centrally manage our enterprisewide encryption deployment.
When we deployed the new technology, we had to explain why encryption was necessary. Many of our employees and partners were unaware of the numerous IT security threats they might have to face and didn’t realize that so many data breaches were occurring in all industries, especially in higher education.
To deal with this situation, we created a mandatory training program for laptop users that would familiarize them with rules for using and traveling with encrypted devices. In addition, we require our outside legal counsel to use PGP encryption keys and our partners to obtain at least one copy of PGP Desktop Email encryption software if they want to share any sensitive information with us electronically.
Our IT engineers, with PGP’s help, designed and tested the new solution in-house, on time and on budget. We have achieved a significant ROI. For less than $250,000, we have improved security, compliance, usability and employee engagement.
Our new centralized management, policy, log and key management capabilities provide unprecedented visibility and real-time control over our laptops. Our IT staff knows which laptops are encrypted and which ones are online. Should a device go missing through theft or loss, we can determine whether the data on it was encrypted.
In addition to having better tools, training employees on security best practices—including the monetary value of data and the cost of losing it—has directly caused organizationwide behavioral changes that reduce the risk of data breaches.
If someone loses a laptop, encryption prevents unauthorized users from accessing the data, cutting the risk of a breach to zero. We trust this solution so completely that we are putting our own name on our laptops’ startup screens, replacing the anonymous tags we previously required for security purposes.
ETS must comply with federal IT security mandates and with the Payment Card Industry Data Security Standard (PCI DSS) to protect credit card transactions. Our employees must comply with different laws about transporting encryption technology to various countries, particularly politically sensitive countries. We can now automatically enforce federal standards and international export rules on a country-by-country basis, ensuring that we don’t violate any international statutes, while still providing appropriate protection.
In addition, the solution saves us money on meeting both our current and future encryption needs. Upgrades are easy. We just activate the new features, without the expense and trouble of expanding our management infrastructure. For example, we’re devising a proof-of-concept in the next year to add protection to e-mail sent via employees’ smartphones.
Improved ease of use has been a big plus. The new setup doesn’t require employees and partners to type in their user names. They just key in their pass phrases, making the sign-on process easier and faster. When users, including our general counsel’s office, found out how easy to use and secure the product is, many wondered why we hadn’t implemented it sooner.
Our encryption deployment strategy helps us prevent or mitigate the risks of cyber-attacks and data breaches, while meeting government IT security and compliance mandates. It encourages our employees to adopt new technologies and use them securely without impeding solution deployment or user productivity. Finally, it enables us to implement best practices that lower operating costs, save money and increase competitive advantage to achieve success.
What’s more, our employees and partners are now much more proactive about IT security. Before training, most users concentrated on the value of the machines themselves, not the value of the data those devices house. When people realize they’re carrying $50,000, $500,000 or $5 million worth of data in their briefcase, they are less likely to leave their laptops behind accidentally.
That sense of personal responsibility is one of the biggest lessons ETS has learned. Our employees have taken ownership of their machines and the security processes necessary to protect them. In short, proactive IT security depends on more than simply deploying effective technology. It also requires training and instilling the right knowledge, mindfulness and dedication in a corporate culture. And that’s what ETS has done.
Marcus Prendergast is a senior security engineer at Educational Testing Service (ETS), a nonprofit educational organization based in Princeton, N.J.