With so many options for accounts receivable companies in existence these days, many clients find it difficult to know what to look for when evaluating a potential partner for their business. One thing that should be near the top of every list is the ways in which such a partner handles sensitive data. In a modern world where hacks of credit card accounts and personal information are commonplace, the need for data security has never been higher. In order to give a better idea of what methods the highest performing companies in this space are utilizing, we took a look at IC System, a leader in the field. By reading through some of the company’s security practices below, you’ll be better equipped to understand the sometimes convoluted field of data security, especially as it relates to the accounts receivable industry.
Before diving into their security practices, a brief overview of the company will be helpful in order to understand the type of work they do. IC System was founded in 1938 by Ruth and Jack Erickson. In the years since it was created, the company has remained a family-run organization, now on its third generation of family leadership. Headquartered outside of St. Paul, Minnesota, the company focuses its efforts on helping to reach financial resolutions for clients and consumers in an upfront and fair manner. This legacy of honesty and ethical practices was put in place from the very first days of the company’s existence.
In the years since its creation, the company has seen its scope and client base increase steadily on its way to becoming one of the top accounts receivable firms in operation. In order to facilitate this upward trend in their efforts, the company has worked consistently to partner with professional organizations as well as expand its licensing throughout the country. To that end, many of those organizations still use the company as their recommended method of settling accounts, and the firm is now licensed and/or bonded in all states in the U.S.
Cyber security in the U.S.
In the wake of the 2016 Presidential election, new concerns related to hacking have surfaced in the minds of the American public. But outside of the political spectrum, there have been a number of large-scale hacks that have troubled corporations and even universities. Looking back at the first six months of 2018, there were about as many hacks as there have been in previous years; but as cybersecurity of large companies fails to keep up with current trends in hackery, critical infrastructure remains up in the air, or up in the cloud rather.
Perhaps one of the most looked at breaches of the past two years has been Russian hackers infiltrating the infrastructure of U.S.-based power companies – through this hacking, it has been postulated that these computer-savvy people could gain direct access to the utility controls of these companies. Of course, it is often thought that these attacks could have been perpetrated by those with ties to meddling in the 2016 election and other attacks, such as the NotPetya ransomware attacks. Despite any ties to these attacks, the power company breaches were a startling revelation for the U.S. government – it wasn’t until last year when the government began acknowledging Russia’s involvement in these attacks to the public. Although some officials spoke in hushed tones about Russia’s involvement for months, the Trump Administration was cautious about raising concerns of more hacks, or upsetting business or overall relations with the country.
Aside from large corporations, U.S.-based universities have also seen an alarming rate of troubling cyberattacks. In March of 2018, the U.S. Department of Justice indicted nine Iranians over a series of attacks that targeted over 300 universities based in America. But it wasn’t just universities that were targeted by these hackers – they also targeted groups like the United Nations and the states of Indiana and Hawaii. Overall, these hackers stole 31 terabytes of information, which equates to around $3 billion in intellectual property.
One of the most newsworthy data breaches of this year, however, has been the controversy surrounding Facebook ad Cambridge Analytica. Overall, the firm gained access to information tied to nearly 50 million Facebook users, and included personal information that could be used to influence behavior, although the extent to which the information could be used in this way has been extensively deliberated on Capitol Hill. Despite trying to scrub all of the compromised data, it seems as though Facebook was unsuccessful – in a statement released by the company, they said “several days ago, we received reports that, contrary to the certifications we were given, not all data was deleted. We are moving aggressively to determine the accuracy of these claims. If true, this is another unacceptable violation of trust and the commitments they made. We are suspending SCL/Cambridge Analytica, Wylie and Kogan from Facebook, pending further information.” CEO Mark Zuckerberg ultimately had to testify before Congress, and Facebook had one of its worst quarters ever.
You may be thinking to yourself “okay, so this may be a problem. But how do these large-scale corporate attacks impact me?” Well, as companies continue to experience high-level data breaches (think Google and Facebook,) often times millions of users’ data is reached, which could include you or someone you know. Now, more than ever before, personal and corporate cybersecurity is of the utmost importance.
As the company’s operations have grown, so too has its need for security. With so many clients and consumer accounts passing through its systems, the company understands the requirement for complete confidentiality when handling sensitive information. This confidentiality must not only be maintained internally, but also must be safeguarded against any who may seek out such data for their own uses. This focus on security extends to all data the company handles, including payment methods, account inventories, and personal information.
Security methodologies in use at the company are put in place by a security network that is supported by a highly regimented set of compliance protocols. These measures are tested extensively through more than fifty annual audits. They are also continuously monitored by the company’s failsafe system. These protocols are in place 24/7 and are operating throughout every day of the week, including holidays and weekends.
Use of FISAScore
One of the ways the company ensures that its data practices are meeting the high level they have set out to achieve is through the use of the FISAScore. This measurement tool utilizes a collection of industry standard assessments in order to identify and quantify security risk. In order to receive a certification from the assessment, a company must be evaluated on a number of different requirements from the IEC, ISO, CCS CSC, NERC, COBIT5, and the NIST Cybersecurity Frameworks. Taken as a collective whole, along with the FISA assessment itself, these evaluation metrics form the standard model for best practices in the accounts receivable industry. At present, the company has received a FISAScore that ranks it nearly thirty percent more secure than the average found throughout the industry.
The auditing firm that services the company, known as FRSecure, evaluates its FISAScore through a reporting method that exceeds the default industry method known as SOC. While an SOC report is often used to evaluate a company’s score, it is lacking in a few areas required to ensure the fullest data security methods possible. These gaps include an inability to account for compliance with federal laws, the safeguarding of especially sensitive data such as medical records, or adherence to certain state regulations such as the Red Flags Rule or Nevada NRS 603a. In order to attain the most comprehensive security evaluation, the FRSecure audit used by the company encompasses all of the parameters of an SOC report and then delves into the additional metrics listed above.
There is an extensive number of regulatory compliances that IC System must consider when constructing its security system. Though there are too many to name here, it will be helpful to touch on a couple in order to illustrate the thought that goes into creating such a system. The first is related to the way in which the company processes credit card payments. While many collection agencies conduct a PCI DSS self-assessment for the portion of their network that handles payment transactions, the company pursues a much more stringent PCI DSS 3.2 Annual Certification on its entire network. In addition, this evaluation is performed by a third-party auditor in order to ensure its objectivity.
Another important regulatory consideration is the Health Insurance Portability & Accountability Act, known as HIPAA. This act is usually considered along with the Health Information Technology for Economic and Clinical Health Act, known as HITECH. Taken together, HIPAA and HITECH form a basis of security practices that must be adhered to in order to protect sensitive medical information. The company uses the regulatory practices put in place by the acts in order to address confidentiality concerns related to the transmission, storage, and use of information related to healthcare.
Cybersecurity in Healthcare
The healthcare field is experiencing growing cybersecurity concerns – in the past few years, IT security incidents have steadily risen which has many healthcare organizations incredibly worried. Many of these organizations have been desperately trying to keep these attacks at bay. 2015 was the peak of this “trend” (for lack of a better word,) as the year set a new record for data breaches in the healthcare sphere. More data, in fact, was stolen in 2015 than the previous six years combined. More than 113 million records were accessed, and 78.8 million of those records were stolen in a single breach. The days of worrying about smaller breaches are over – now, large amounts of data can be stolen in one fell swoop. While some healthcare providers are looking towards advancements such as blockchain to secure patients’ information, many healthcare providers are trying to figure out how to connect more medical devices to secure networks to prevent these attacks.
Because of these large-scale breaches, many providers have seen a proliferation of IoT devices in the healthcare industry – while these devices are being developed, however, cyber terrorists are finding new, creative ways to overcome these often faulty tools. Unfortunately, the data industry and the healthcare sphere have been slow to respond to these attacks. Even though this is the case, many organizations have increased their security budgets, which has led to the thwarting of potentially massive attacks. By using some of the tools provided by IC Systems, groups have begun to adapt to the ever-changing cybersecurity sphere.
Though companies in the accounts receivable industry must be evaluated on a wide range of practices by clients and consumers, one consideration that stands high on that list is the ways in which such a company safeguards data. In an age where data breaches have become far too commonplace, the types of information utilized by these companies on a daily basis can ill-afford to be mishandled. Through a variety of stringent protocols and regulatory methodologies, IC System has established itself as a top performer in the realm of data security. Organizations seeking to establish such high-level methodologies themselves would do well to take a look at the ways in which the company has met its current level of operation.
Although there is a justified amount of cynicism felt by the cybersecurity community, there are also a number of technologies currently being developed to help curb the sheer number of attacks experienced by individuals and corporations alike. Although these emerging technologies will not completely curb these breaches, they may cause cyberterrorists to think twice before attacking the data of any given organization.
Although this may sound far-fetched or like something out of a science fiction movie, one emerging technology that could prove useful in the future is the creation of computer chips that can turn to dust once they have outlived their usefulness, or when there is still data on them that could be extracted by bad actors. Researchers at PARC have been working on this computer chip, which would self-destruct once it is no longer needed. This chip is the result of the Pentagon’s Defense Advanced Research Projects Agency, and aims to create a disappearing electronics platform that can be used on the “battlefield” of the cyber terror era. The chip functions normally until a small heating element triggers the electron components of the chip to self-destruct. The chain reaction cracks the glass substrate, and could be triggered remotely in situations where information falls into enemy hands. This self-destructing capability also has the potential to be an eco-friendlier means of electronics production.
“Imagine being able to cover a large area, like the ocean floor, with billions of tiny sensors to ‘hear’ what is happening within the earth’s crust, and have them quickly disintegrate into, essentially, sand, leaving no trace and not harming the planet or sea life,” Sean Garner, PARC researcher and principal investigator on the DUST project, said in a 2014 statement.
In addition to this self-destructing chip, researchers are also aiming to build “zoos” to trap bad actors before more data can be accessed. When attacks begin, attackers often start by collecting data on the network to find other computers that can be accessed. Deceptive network technology aims to confuse these attackers’ search for data, while at the same time alerting business owners and IT professionals of the potential breach. These faux systems not only annoy hackers by wasting their time, but also lay booby-trapped files that could corrupt any attempts by hackers. Another startup called Shadow Networks uses software-defined networks and virtual systems to create “ghost towns” to trap attackers. Although this concept isn’t necessarily new, it has been refined so it can be easier to use.
“Unlike a honeypot…we coat the entire network in a thin layer of honey,” says David Hunt, vice president of marketing at one Israeli startup, illusive networks. “The attackers, not realizing that they are being observed, are not cleaning up after themselves yet, and so the customer can gain intelligence that they would not otherwise have.”
One final technique that is being adopted by players from across the cybersecurity sphere is the encryption of everything, everywhere. Because many security systems fail, many companies have to act like the intruder is already inside. Once this assumption is made, it is much easier for bodies to act in a preventative manner, as opposed to a reactionary one.
More about IC System at https://www.businesswire.com/news/home/20181108005801/en/IC-System-Receives-CFO-Year-Award