Strengthen Your Company’s Risk Management Program with a Proven Approach to Data Security

June 2019

Protecting sensitive information and mitigating cyber risk is an enormous and persistent challenge for businesses, in part because every communications tool used to conduct normal business presents a clear risk. According to a recent Egress study on data privacy, 79 percent of IT leaders in the U.S. believe employees have inadvertently put sensitive customer data at risk in the last 12 months, and 60 percent expect it to happen again in the next 12 months. As the tools for information-sharing among employees become ubiquitous, so do the vulnerabilities to data breaches. 

The good news is, there are effective, time-tested tools and processes available to help strengthen a company’s data privacy and information controls. Public key infrastructure, or PKI, is an approach for authenticating users and devices in the digital world. The idea is an independent third party, called a certification authority (CA), digitally signs a document certifying that a particular cryptographic “key” belongs to a specific user or device. The certified key can then be used to verify the identity of an individual or entity that is sending or receiving information in a digital network, adding a layer of assurance to digital communications and transactions.
 

A Proven Approach

The PKI approach is not new, and it has been enhanced over the years with programs that help enforce performance standards among CAs. For example, WebTrust for Certification Authorities was created in 2000 to boost consumer confidence in e-commerce and in the application of PKI technology. At that time, it was broadly written for any type of CA. In 2005, the Certification Authority Browser Forum (CABF) was created and adopted WebTrust for Certification Authorities for internet browsers. Specialized needs of CABF led to the development of other services that expanded the original criteria to focus on specific needs for the internet browser community, including baseline requirements, network security requirements, extended validation, code signing, and publicly trusted code signing. The latest version of WebTrust for Certification Authorities was released March 1, 2019.
 

WebTrust for CA Adoption Grows

WebTrust for CA is being adopted more widely as additional industry-specific needs arise. Some early adopters include financial services companies, as they house sensitive personal and corporate financial information. Industries in the pipeline for additional Webtrust for CA adoption include manufacturing, where Industry 4.0 is transforming the interconnectivity between humans, machines and data, and there is a need to protect communications among third parties in the supply chain. Healthcare, where information is prevalent and confidentiality is paramount, would also benefit, as would the government sector, which faces frequent cyber threats.  
 

Getting Started

To implement CA, the first step is to assess organizational readiness. The next step, building the infrastructure, is an investment, but some companies may already have some of the foundational elements in place and won’t need to start from scratch. For example, some companies already have a “root key,” which is central to the PKI described earlier, and some have an information security framework similar to CA, requiring only incremental efforts to complete a WebTrust audit.

When building infrastructure, it is important to have the basics of WebTrust for CA established before PKI operations. An organization commonly envisions how its setup will be handled through a proof-of-concept document outlining its strategy. Ultimately, once the organization passes the audit, it receives a Trust Services Seal indicating that its controls are properly designed and it is in compliance.

Certification Authorities are proven concepts, but they are not yet in widespread use, in part, because they are not mandated by law. However, protecting information and data is essential and should be a key part of risk management strategy. Every company should review its information security procedures and consider a WebTrust for CA assessment.

To learn more about the comprehensive audit, third-party attestation and cybersecurity services BDO provides, please contact a BDO professional.
 

CONTACT

Jeff Ward
Third-Party Attestation National Managing Partner