Protecting customer data: Risks, requirements, and how to keep your company secure
One area in which this is especially true is personal data. Organizations in virtually every industry are now data aggregators, meaning that they collect and store data on customers, clients, patients, employees, and others. At the same time, a whole new business model has been created by data management, processing, and storage organizations. Data is extremely valuable to the organizations that have it — and to fraudulent third parties that can sell it.
Technology has rendered this data more accessible, and thus more vulnerable, resulting in the regulation of personal information on state, federal, and international levels. Organizations can take steps to secure their data, but they need to know what real security looks like and how to avoid potential pitfalls.
Difficult lessons learned
Since the pandemic, cyberattacks have continued to increase against organizations of all complexities and sizes. In a breach of Medibank, an Australian health care provider, more than 9 million customers’ health information was compromised, leading to millions in losses. In a breach of DoorDash, a food delivery service, more than 4.9 million customers personally identifiable information (PII) was compromised, with some credit card information for customers obtained as well. Of course, these numbers don’t reflect the significant damage to the reputation of each company.
The average cost of a data breach increased 12.7% from 2020 to 2022, at $4.35 million globally.
Regardless of an organization’s size or complexity, it can be a victim of a data breach. In the U.S., the average cost of a data breach has reached a staggering $9.45 million, due to lack of internal security controls. 83% of organizations have had more than one data breach. Even highly regulated organizations, such as healthcare, are failing at a dramatic rate regarding data breaches. With the amount of digital content expanding, the potential for future breaches is growing too.
PCI DSS audit
To protect customers’ credit card data, the Payment Card Industry (PCI), which was formed by major credit card brands, has created a set of 12 requirements, known as the Data Security Standard (DSS), with which all organizations that process, transmit, or store credit card data must comply. These standards focus on areas such as network security, vulnerability management programs, control measures, and monitoring and testing for security. Smaller organizations may validate compliance internally, but larger organizations must hire a Qualified Security Assessor (QSA) to perform the validation. Noncompliance can result in heavy fines and even the loss of ability to accept credit cards.
There are many, at times too many, compliance initiatives around security driven by different industry segments and markets, and most organizations don’t know where to start. Such initiatives that organizations may pursue include becoming ISO 27001 certified or obtaining a Service Organization Control (SOC) report over security, availability, confidentiality, processing integrity, or privacy. Others include HIPAA, NIST 800-53, the Cloud Security Alliance compliance, and many more. Regardless of the direction the business takes, being compliant doesn’t mean that business is secure.
Compliance versus security
A business that passes a PCI DSS or SOC audit with flying colors may still be vulnerable to a security breach. These audits reveal only minimum security requirements and are focused more on protecting customer data than protecting the company. (For example, a company’s separate internal network might not be included in the audit if customer data is stored in a separate segmented network.) In addition, these audits, as in the case of the 2013 Target breach, do not heavily cover third-party vendors that could put organizations at risk.
Organizations should also consider their legal position in the event of a breach and understand that compliance with PCI DSS or SOC requirements might not necessarily strengthen it. Local law takes precedence over data security requirements and regulation, which is a significant issue for organizations working with internationally based vendors and buyers.
To be truly secure, organizations must start by covering the basics, including network security, best practices, hardening guidelines, and internal network security assessments.
Because a good part of security risk occurs with end users, organizations can further protect themselves by providing security awareness training and policies for all staff members and additional training for IT staff.
Provide security best-practice/awareness training for IT staff and all staff members.
Organizations should also activate strong MSAs and SLAs with known IT security requirements and request independent audits for third-party providers.
Finally, organizations should regularly review the 20 principles for IT security developed by the SANS Institute. These principles include ensuring secure configurations on all devices, defending against malware, conducting security skills assessment and training, maintaining audit logs, and ensuring secure network engineering.
Steps to security
In today’s technology-driven business world, data security is something no company can afford to ignore. Keep in mind the following principles and guidelines when considering your company’s data security:
- If you store or transmit sensitive data, you’re at risk.
- A single breach can cost considerable time, money, and damage to your company’s reputation.
- You may be required to comply with PCI DSS requirements, but doing so doesn’t necessarily ensure your business is secure.
- Start with the basics for network security.
- Provide security best-practice/awareness training for IT staff and all staff members.
- Consider the risks posed by third-party vendors and take steps to neutralize them.
- Familiarize yourself with the SANS Institute principles.