Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:43 PM

6 Steps To Better Customer Data Protection

Privacy isn't a concern just for the Googles and Facebooks of the world. Here are six ways small and midsize businesses (SMB) can better protect their customers -- and themselves.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Monday was Data Privacy Day. Do you know where your customer information is?

If your answer is somewhere in the "no" to "sort of, for the most part" range, you've got work to do. Even if your answer is a resounding "yes," it might be time to revisit how you handle and protect customer information -- especially if those processes were developed a couple of years ago or more.

The penalties for poor data protection and privacy practices can be stiff, ranging from negative publicity and embarrassment to costly fines and lawsuits. The fallout can be broad. In a recent Harris Interactive poll sponsored by TRUSTe, 89% of U.S. consumers said they had avoided doing business with a company because of concerns about how it handled their online privacy.

[ Do companies share too much customer data? Read FTC Sets Consumer Data Collection Limits. ]

As a result, behemoths like Google and Microsoft are paying plenty of attention to customer data protection and privacy issues -- it would simply be bad business if they didn't. Google, for one, used Data Privacy Day to explain how it handles government requests for user data. Such requests have been growing in volume lately. Yet protecting customer information isn't just a Fortune 500 issue; it affects companies of nearly all shapes and sizes.

In an interview with InformationWeek, Online Trust Alliance executive director and president Craig Spiezle shared six ways SMBs can polish their approach to data protection and privacy matters.

1. Make Customer Data More Than An IT Problem.

A common SMB approach to safeguarding customer information is to treat it as an IT responsibility. Fair enough, but too many SMBs treat it as only an IT responsibility, according to Spiezle. While IT is usually best suited to handle the technologies and technical processes involved in storing and securing data, it is often in the dark regarding how data is used and shared elsewhere in the organization. In fact, Spiezle said his recent work with the FBI and U.S. Secret Service revealed that confusion among company executives and employees is a regular roadblock in data-breach investigations.

"[SMBs] have to view data protection and privacy as a holistic, company-wide effort," Spiezle said. "If they only focus on it as an IT issue, they will most likely fail."

2. Reevaluate Your Data Encryption Practices.

Encrypting sensitive customer data might sound like a given in 2013. It's not. Failing to use encryption properly, Spiezle said, is a particularly high risk. An organization might encrypt customer data in certain states or process steps but fail to do so when it's in motion or in use on an employee's desktop, for example. Best practices and recommendations for encryption technologies will vary by business and industry; regulatory compliance like HIPAA or PCI will often have a heavy influence. Spiezle advises two global practices. First, if you haven't recently re-evaluated your encryption processes and technologies, they're probably not good enough. "Companies that were encrypted based on what standards were five years ago are easily broken into today," Spiezle said.

Second, Spiezle recommends whole-disk encryption instead of file-level encryption, especially for employees who work with customer data on their PCs or mobile devices. Whole-disk encryption, such as what's on offer for Apple's iOS or Microsoft's Windows, can help better protect against fallout from lost laptops and other hardware.

3. Consider Data Loss Prevention (DLP) Technologies.

Spiezle advises larger companies to begin to consider a data loss prevention (DLP) platform for rules-based data monitoring and tracking. Such technologies enable an administrator to automate and enforce certain policies governing the use and movement of customer data. For example, set a rule that prevents any files that include a social security number from being sent outside the company. "You're preventing either an accidental disclosure or an employee overtly sending data out to someone [outside] the company," Spiezle said.

By "larger" companies, Spiezle is not referring to employees or revenue but the amount of data you're dealing with. "I've seen companies with as little as 100 employees using [DLP]," Spiezle said. "Certainly, anyone that's dealing in [healthcare] or a securities business is probably already thinking about this." A related scenario where smaller companies might find a return on a DLP investment: Service providers that count highly regulated industries and other high-risk businesses among their customers. It might be a necessity to be deemed trustworthy.

4. Include Customer Privacy In Cloud Vendor Negotiations.

As SMBs adopt cloud applications in greater numbers, Spiezle believes customer data protection needs to be a part of contracts and negotiations. The standard language in many such agreements might not be enough, he said. One example: "We adhere to best practices to protect your data," or some version of that same claim. The problem, according to Spiezle: "That may not be good enough for your business, and you may really want to pressure [them on] that." Another example: A cloud vendor's general promise to notify you in the event of loss of sensitive information. The problem: "They may not really know what's sensitive to your customers or your markets," Spiezle said.

As a result, Spiezle encourages SMBs to ask cloud providers to include addendums to the standard agreement that cover their specific needs for protecting customer data and privacy. Don't expect a warm response, though. "Vendors don't want to do one-off deals." Nonetheless, it's an important area to address. In the event of a data-related incident, your customers won't want to hear: "It's the cloud's fault."

5. Address The BYOD Issue.

Yes, bring-your-own-device (BYOD) is a customer data issue, too. Spiezle's in the camp that sees BYOD as inevitable. No matter your viewpoint, employee mobile devices add an order of magnitude to protecting customer information and privacy. A recent survey paid for by EVault found nearly one-third of U.S. employees had corporate data stored on their personal smartphones.

Spiezle recommends remote wiping capability as a key tool for managing the mobile-related risks. At bare minimum, he advised including a BYOD policy clause that requires employees to notify the company in the event of a lost or stolen device so that it can take steps to prevent data loss.

6. Retain Data Logs For Longer.

As a matter of process rather than technology, Spiezle recommends keeping data logs for things like firewalls or application servers for at least one year, if not longer. "What we find is a lot of administrators only keep them for 30 days, or they inadvertently shut them off when they're doing something [else]," Spiezle said. That can cause problems when trying to determine the cause of data-related incidents; Spiezle noted those incidents are often not discovered until after the fact.

"There's really no reason why you wouldn't want to keep your past 12 months of data in those logs," he said. "It's really important because it can help in forensics capability. It can also help detect abnormal behavior and patterns of someone who's attempting to breach your perimeter."

InformationWeek is surveying IT executives on global IT strategies. Upon completion of our survey, you will be eligible to enter a drawing to receive an Apple 32-GB iPad mini. Take our

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
1/29/2013 | 10:16:58 PM
re: 6 Steps To Better Customer Data Protection
As an addendum to point 3 about DLP, the technology is also useful as an internal auditing tool. IT probably has a good idea about the primary locations of sensitive data, but an internal review with a good tool will also likely reveal data caches that IT didn't anticipate.

Drew Conry-Murray
Editor, Network Computing
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...