Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/28/2013
04:43 PM
50%
50%

6 Steps To Better Customer Data Protection

Privacy isn't a concern just for the Googles and Facebooks of the world. Here are six ways small and midsize businesses (SMB) can better protect their customers -- and themselves.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Monday was Data Privacy Day. Do you know where your customer information is?

If your answer is somewhere in the "no" to "sort of, for the most part" range, you've got work to do. Even if your answer is a resounding "yes," it might be time to revisit how you handle and protect customer information -- especially if those processes were developed a couple of years ago or more.

The penalties for poor data protection and privacy practices can be stiff, ranging from negative publicity and embarrassment to costly fines and lawsuits. The fallout can be broad. In a recent Harris Interactive poll sponsored by TRUSTe, 89% of U.S. consumers said they had avoided doing business with a company because of concerns about how it handled their online privacy.

[ Do companies share too much customer data? Read FTC Sets Consumer Data Collection Limits. ]

As a result, behemoths like Google and Microsoft are paying plenty of attention to customer data protection and privacy issues -- it would simply be bad business if they didn't. Google, for one, used Data Privacy Day to explain how it handles government requests for user data. Such requests have been growing in volume lately. Yet protecting customer information isn't just a Fortune 500 issue; it affects companies of nearly all shapes and sizes.

In an interview with InformationWeek, Online Trust Alliance executive director and president Craig Spiezle shared six ways SMBs can polish their approach to data protection and privacy matters.

1. Make Customer Data More Than An IT Problem.

A common SMB approach to safeguarding customer information is to treat it as an IT responsibility. Fair enough, but too many SMBs treat it as only an IT responsibility, according to Spiezle. While IT is usually best suited to handle the technologies and technical processes involved in storing and securing data, it is often in the dark regarding how data is used and shared elsewhere in the organization. In fact, Spiezle said his recent work with the FBI and U.S. Secret Service revealed that confusion among company executives and employees is a regular roadblock in data-breach investigations.

"[SMBs] have to view data protection and privacy as a holistic, company-wide effort," Spiezle said. "If they only focus on it as an IT issue, they will most likely fail."

2. Reevaluate Your Data Encryption Practices.

Encrypting sensitive customer data might sound like a given in 2013. It's not. Failing to use encryption properly, Spiezle said, is a particularly high risk. An organization might encrypt customer data in certain states or process steps but fail to do so when it's in motion or in use on an employee's desktop, for example. Best practices and recommendations for encryption technologies will vary by business and industry; regulatory compliance like HIPAA or PCI will often have a heavy influence. Spiezle advises two global practices. First, if you haven't recently re-evaluated your encryption processes and technologies, they're probably not good enough. "Companies that were encrypted based on what standards were five years ago are easily broken into today," Spiezle said.

Second, Spiezle recommends whole-disk encryption instead of file-level encryption, especially for employees who work with customer data on their PCs or mobile devices. Whole-disk encryption, such as what's on offer for Apple's iOS or Microsoft's Windows, can help better protect against fallout from lost laptops and other hardware.

3. Consider Data Loss Prevention (DLP) Technologies.

Spiezle advises larger companies to begin to consider a data loss prevention (DLP) platform for rules-based data monitoring and tracking. Such technologies enable an administrator to automate and enforce certain policies governing the use and movement of customer data. For example, set a rule that prevents any files that include a social security number from being sent outside the company. "You're preventing either an accidental disclosure or an employee overtly sending data out to someone [outside] the company," Spiezle said.

By "larger" companies, Spiezle is not referring to employees or revenue but the amount of data you're dealing with. "I've seen companies with as little as 100 employees using [DLP]," Spiezle said. "Certainly, anyone that's dealing in [healthcare] or a securities business is probably already thinking about this." A related scenario where smaller companies might find a return on a DLP investment: Service providers that count highly regulated industries and other high-risk businesses among their customers. It might be a necessity to be deemed trustworthy.

4. Include Customer Privacy In Cloud Vendor Negotiations.

As SMBs adopt cloud applications in greater numbers, Spiezle believes customer data protection needs to be a part of contracts and negotiations. The standard language in many such agreements might not be enough, he said. One example: "We adhere to best practices to protect your data," or some version of that same claim. The problem, according to Spiezle: "That may not be good enough for your business, and you may really want to pressure [them on] that." Another example: A cloud vendor's general promise to notify you in the event of loss of sensitive information. The problem: "They may not really know what's sensitive to your customers or your markets," Spiezle said.

As a result, Spiezle encourages SMBs to ask cloud providers to include addendums to the standard agreement that cover their specific needs for protecting customer data and privacy. Don't expect a warm response, though. "Vendors don't want to do one-off deals." Nonetheless, it's an important area to address. In the event of a data-related incident, your customers won't want to hear: "It's the cloud's fault."

5. Address The BYOD Issue.

Yes, bring-your-own-device (BYOD) is a customer data issue, too. Spiezle's in the camp that sees BYOD as inevitable. No matter your viewpoint, employee mobile devices add an order of magnitude to protecting customer information and privacy. A recent survey paid for by EVault found nearly one-third of U.S. employees had corporate data stored on their personal smartphones.

Spiezle recommends remote wiping capability as a key tool for managing the mobile-related risks. At bare minimum, he advised including a BYOD policy clause that requires employees to notify the company in the event of a lost or stolen device so that it can take steps to prevent data loss.

6. Retain Data Logs For Longer.

As a matter of process rather than technology, Spiezle recommends keeping data logs for things like firewalls or application servers for at least one year, if not longer. "What we find is a lot of administrators only keep them for 30 days, or they inadvertently shut them off when they're doing something [else]," Spiezle said. That can cause problems when trying to determine the cause of data-related incidents; Spiezle noted those incidents are often not discovered until after the fact.

"There's really no reason why you wouldn't want to keep your past 12 months of data in those logs," he said. "It's really important because it can help in forensics capability. It can also help detect abnormal behavior and patterns of someone who's attempting to breach your perimeter."

InformationWeek is surveying IT executives on global IT strategies. Upon completion of our survey, you will be eligible to enter a drawing to receive an Apple 32-GB iPad mini. Take our

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
1/29/2013 | 10:16:58 PM
re: 6 Steps To Better Customer Data Protection
As an addendum to point 3 about DLP, the technology is also useful as an internal auditing tool. IT probably has a good idea about the primary locations of sensitive data, but an internal review with a good tool will also likely reveal data caches that IT didn't anticipate.

Drew Conry-Murray
Editor, Network Computing
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.