Best Practices for Protecting Customer Data in Service

0
125 views

Share on LinkedIn

As the threat of being breached increases, it becomes more imperative for companies to take precautions to protect their customers and their business.

Home Depot has agreed to pay $19.5 million as compensation for a 2014 consumer data breach that affected over 50 million cardholders, including $13 million in reimbursement and $6.5 million for identity protection services. As this illustrates, data breaches can be expensive for businesses.

Home Depot’s case was one of 783 U.S. data breaches in 2014, of which 263 involved organizations in the business sector, according to the Identity Theft Resource Center. The number of breaches in the business sector rose to 312 in 2015, an 8.1 percent increase from the previous year, the ITRC reported.

As the threat of being breached increases, it becomes more imperative for companies to take precautions to protect their customers and their business. Here are some steps you can take to reduce your risk of being breached.

Make Data Protection a Company Priority

One common mistake companies make is treating security as exclusively a problem for the IT department, says Online Trust Alliance Chairman Craig Spiezle. Spiezle says that one problem with this approach is that while IT personnel may be good at the technological side of data protection, they often don’t know how other people outside the IT department are handling data.

Instead, top management should work with IT input to establish company-wide policies that conform with the business goals, industry standards and customer service standards of the company.

Optimize Your Encryption

Another problem is that companies rely on outdated encryption, Spiezle says. For example, a High-Tech Bridge security survey conducted in December 2015 found that 90 percent of the largest public email service providers that help large companies improve their encryption rely on insecure or outdated methods that put data at risk.

Have your IT department review your encryption policy on a regular basis to make sure you’re using up-to-date security measures. Current encryption best practices include decentralization, central key management with distributed execution and support for multiple encryption mechanisms, says technical architect Kaushik Pal.

Use Data Loss Prevention Technology

Spiezle also recommends that companies consider using data loss prevention technology to set and enforce automated rules for handling customer data. For instance, you can create a rule that prevents any file containing a Social Security Number from being sent outside the company.

A data loss prevention solution can let you implement a comprehensive set of policies for securing your data in use and at rest based on specific criteria. The SANS Institute and Securosis.com provide a guide to selecting a data loss prevention solution.

Include Privacy in Third-party Vendor Contracts

Another step companies should take is negotiating with third-party cloud vendors and app providers for enhanced privacy features. Cloud vendor contracts tend to be standardized and vague, which increases service efficiency but also leaves the vendor without responsibility for representations or warranties, and can potentially place companies in violation of applicable laws.

Have your legal team review your cloud contract against your industry’s privacy regulations, and if it looks like you need additional terms from your provider, negotiate a more specific arrangement.

Establish an Effective BYOD Policy

Your customers’ data is only as safe as your most vulnerable employee, and when employees bring their own devices, the number of potential vulnerabilities multiplies.

Cyber risk expert Jeffrey Stark recommends that companies should implement a comprehensive BYOD policy that assigns different access levels to different users, employs data protection software on employee devices, uses an external backup system for sensitive information and monitors network risk assessment.

Business owners may also have sensitive company data on their own personal devices, and using an identity protection service such as LifeLock can help mitigate risk from this factor.

Retain Data Logs

Two-thirds of data breaches are not discovered until a month after they occur, and 70 percent are discovered by an external third party. Keeping your logs longer gives you a better chance to discover and analyze breaches, and find out how they occurred and what was lost. Maintaining logs at least a year or longer is a best practice, Spiezle says.

LEAVE A REPLY

Please enter your comment!
Please enter your name here