Risk
1/28/2013
04:43 PM
Connect Directly
RSS
E-Mail
50%
50%

6 Steps To Better Customer Data Protection

Privacy isn't a concern just for the Googles and Facebooks of the world. Here are six ways small and midsize businesses (SMB) can better protect their customers -- and themselves.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Monday was Data Privacy Day. Do you know where your customer information is?

If your answer is somewhere in the "no" to "sort of, for the most part" range, you've got work to do. Even if your answer is a resounding "yes," it might be time to revisit how you handle and protect customer information -- especially if those processes were developed a couple of years ago or more.

The penalties for poor data protection and privacy practices can be stiff, ranging from negative publicity and embarrassment to costly fines and lawsuits. The fallout can be broad. In a recent Harris Interactive poll sponsored by TRUSTe, 89% of U.S. consumers said they had avoided doing business with a company because of concerns about how it handled their online privacy.

[ Do companies share too much customer data? Read FTC Sets Consumer Data Collection Limits. ]

As a result, behemoths like Google and Microsoft are paying plenty of attention to customer data protection and privacy issues -- it would simply be bad business if they didn't. Google, for one, used Data Privacy Day to explain how it handles government requests for user data. Such requests have been growing in volume lately. Yet protecting customer information isn't just a Fortune 500 issue; it affects companies of nearly all shapes and sizes.

In an interview with InformationWeek, Online Trust Alliance executive director and president Craig Spiezle shared six ways SMBs can polish their approach to data protection and privacy matters.

1. Make Customer Data More Than An IT Problem.

A common SMB approach to safeguarding customer information is to treat it as an IT responsibility. Fair enough, but too many SMBs treat it as only an IT responsibility, according to Spiezle. While IT is usually best suited to handle the technologies and technical processes involved in storing and securing data, it is often in the dark regarding how data is used and shared elsewhere in the organization. In fact, Spiezle said his recent work with the FBI and U.S. Secret Service revealed that confusion among company executives and employees is a regular roadblock in data-breach investigations.

"[SMBs] have to view data protection and privacy as a holistic, company-wide effort," Spiezle said. "If they only focus on it as an IT issue, they will most likely fail."

2. Reevaluate Your Data Encryption Practices.

Encrypting sensitive customer data might sound like a given in 2013. It's not. Failing to use encryption properly, Spiezle said, is a particularly high risk. An organization might encrypt customer data in certain states or process steps but fail to do so when it's in motion or in use on an employee's desktop, for example. Best practices and recommendations for encryption technologies will vary by business and industry; regulatory compliance like HIPAA or PCI will often have a heavy influence. Spiezle advises two global practices. First, if you haven't recently re-evaluated your encryption processes and technologies, they're probably not good enough. "Companies that were encrypted based on what standards were five years ago are easily broken into today," Spiezle said.

Second, Spiezle recommends whole-disk encryption instead of file-level encryption, especially for employees who work with customer data on their PCs or mobile devices. Whole-disk encryption, such as what's on offer for Apple's iOS or Microsoft's Windows, can help better protect against fallout from lost laptops and other hardware.

3. Consider Data Loss Prevention (DLP) Technologies.

Spiezle advises larger companies to begin to consider a data loss prevention (DLP) platform for rules-based data monitoring and tracking. Such technologies enable an administrator to automate and enforce certain policies governing the use and movement of customer data. For example, set a rule that prevents any files that include a social security number from being sent outside the company. "You're preventing either an accidental disclosure or an employee overtly sending data out to someone [outside] the company," Spiezle said.

By "larger" companies, Spiezle is not referring to employees or revenue but the amount of data you're dealing with. "I've seen companies with as little as 100 employees using [DLP]," Spiezle said. "Certainly, anyone that's dealing in [healthcare] or a securities business is probably already thinking about this." A related scenario where smaller companies might find a return on a DLP investment: Service providers that count highly regulated industries and other high-risk businesses among their customers. It might be a necessity to be deemed trustworthy.

4. Include Customer Privacy In Cloud Vendor Negotiations.

As SMBs adopt cloud applications in greater numbers, Spiezle believes customer data protection needs to be a part of contracts and negotiations. The standard language in many such agreements might not be enough, he said. One example: "We adhere to best practices to protect your data," or some version of that same claim. The problem, according to Spiezle: "That may not be good enough for your business, and you may really want to pressure [them on] that." Another example: A cloud vendor's general promise to notify you in the event of loss of sensitive information. The problem: "They may not really know what's sensitive to your customers or your markets," Spiezle said.

As a result, Spiezle encourages SMBs to ask cloud providers to include addendums to the standard agreement that cover their specific needs for protecting customer data and privacy. Don't expect a warm response, though. "Vendors don't want to do one-off deals." Nonetheless, it's an important area to address. In the event of a data-related incident, your customers won't want to hear: "It's the cloud's fault."

5. Address The BYOD Issue.

Yes, bring-your-own-device (BYOD) is a customer data issue, too. Spiezle's in the camp that sees BYOD as inevitable. No matter your viewpoint, employee mobile devices add an order of magnitude to protecting customer information and privacy. A recent survey paid for by EVault found nearly one-third of U.S. employees had corporate data stored on their personal smartphones.

Spiezle recommends remote wiping capability as a key tool for managing the mobile-related risks. At bare minimum, he advised including a BYOD policy clause that requires employees to notify the company in the event of a lost or stolen device so that it can take steps to prevent data loss.

6. Retain Data Logs For Longer.

As a matter of process rather than technology, Spiezle recommends keeping data logs for things like firewalls or application servers for at least one year, if not longer. "What we find is a lot of administrators only keep them for 30 days, or they inadvertently shut them off when they're doing something [else]," Spiezle said. That can cause problems when trying to determine the cause of data-related incidents; Spiezle noted those incidents are often not discovered until after the fact.

"There's really no reason why you wouldn't want to keep your past 12 months of data in those logs," he said. "It's really important because it can help in forensics capability. It can also help detect abnormal behavior and patterns of someone who's attempting to breach your perimeter."

InformationWeek is surveying IT executives on global IT strategies. Upon completion of our survey, you will be eligible to enter a drawing to receive an Apple 32-GB iPad mini. Take our

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
1/29/2013 | 10:16:58 PM
re: 6 Steps To Better Customer Data Protection
As an addendum to point 3 about DLP, the technology is also useful as an internal auditing tool. IT probably has a good idea about the primary locations of sensitive data, but an internal review with a good tool will also likely reveal data caches that IT didn't anticipate.

Drew Conry-Murray
Editor, Network Computing
Register for Dark Reading Newsletters
Partner Perspectives
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-3828
Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.