When it comes to protecting customer data, avoiding complacency and staying agile are crucial to avoid being hit by a security breach.
These days it’s not a matter of if, but when it is going to happen. And instead of being paralysed by fear, companies need to take action to prevent a worst-case scenario. Semafone’s new Data Security in Practice report combines advice from the company’s own experts with those of a number of its customers to provide some practical steps that can be taken to create a secure environment for customer data.
Appreciate thy customer
As with any relationship, genuine care will go a long way. Making the security of customers’ data a priority only because of a particular piece of legislation is unlikely to prove effective long-term. Companies which stay compliant solely to avoid breaking the law will soon notice that their reputation (often built over many years) is suffering.
The reason for this is simple – customers have become increasingly aware that sharing their data ultimately exposes them to the risk of privacy infringements and fraud. Companies with robust data policies and procedures in place are therefore in a far better position to offer peace of mind to their customers and to maintain a strong reputation built on trust. Rarely will a customer object when additional security measures are implemented.
Security is everyone’s business
People are at the heart of any business, starting with the employees. While they are invaluable, they can also be a security risk to organisations. Human error and insider crime can be a very real threat to any company’s security. To mitigate this, a continuous cycle of education, processes, procedures and monitoring is required.
Organisations need to train new employees to be able to identify the most common threats e.g. phishing tactics designed to entice them into clicking links or downloading software without checking with the security team. But why stop there? Training should be viewed as an on-going process – cybercriminals don’t sleep and are always looking for new ways to defraud businesses. The regular use of security awareness tools that train and test employees on their knowledge ensures that they are up-to-date and no tricks are missed.
Following the principle of ‘least privilege’ is another way to keep data safe while avoiding staff coming under too much scrutiny, businesses with contact centres sometimes operate a “clean room” environment where employees have no access to the internet or social media, are not allowed pens and pads, mobile phones, bags, etc., and are scanned before entering and leaving the building.
This type of intense surveillance, more often than not, leads to low morale and high staff turnover. Instead, with ‘least privilege’, access to information is only granted when required, reducing the risk for everyone involved, and means no one needs to be subject to draconian working conditions. Furthermore, secure technologies such as dual-tone multi-frequency (DTMF) masking systems reduce the burden from employees and remove suspicion, making clean rooms redundant.
Once upon a crime
Don’t count on cybercriminals to be bad at their job. With attacks getting more and more complex, using a security encyclopaedia is no longer enough. If businesses want to protect themselves from sophisticated hackers, data security must be considered an integral part of business planning, not an afterthought. Information security requires management at all levels within an organisation, from the planning stages all the way through to delivery and implementation.
Businesses can add additional protection to their website so that shared customer information can only be deciphered internally. The introduction of a self-contained native app that makes purchases more secure and implements protection against automated attacks using log-in details from other sites is another advisable protective measure.
If you are overhauling your systems, you should aim to include measures such as endpoint protection, anti-spyware and antivirus software. Artificial intelligence is also playing a significant role in combatting cybercrime, with companies producing solutions to monitor and respond to cyber threats in real time.
Bonus points for constantly screening the systems for cyber-attacks and anomalies, applying geo intelligence to monitor, as well as managing and blocking traffic from regions known to be potential threats.
In the lead up to the General Data Protection Regulation (GDPR) coming into force, organisations would have ideally undertaken a review of their entire business to identify and close any gaps in processes and security. Some might have realised that a lot of unnecessary data had been stored over the years. Holding large amounts of data means that a lot of data can be stolen – so why hold it in the first place?
If an organisation has to collect personal data and contact details, e.g. for fraud checks, software can be used to remove all this information before it goes back to the merchant saving them having to store and encrypt it. Bank details for direct debits can also be taken out of scope, which is beneficial to accommodate changes in the payment industry with mobile payments and emerging fintech companies.
In the case of data storage, less is definitely more.
Protecting your data is no mean feat. With hackers and identity fraud growing ever more sophisticated, there is no end in sight when it comes to achieving and maintaining the upper hand. But as the Data Security in Practice report lays out, organisations are not defenceless in the face of cyberattacks. So, pull your sleeves up and build your metaphorical data protection Fort Knox.
About the author
Shane Lewis has over 15 years’ experience in Information Technology and Information Security and is a Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC) and an ISO27001 Lead Implementer (CIS LI). Shane is responsible for securing Semafone’s information assets, maintaining and retaining the company’s PA-DSS certification, PCI DSS level 1 service provider accreditation and ISO27001. Before joining Semafone Shane was based at international retailer Fat Face, where he managed the implementation of PCI DSS. Prior to this he worked in financial services with a variety of brands including Barclays, Co-op, GE Money, HSBC and Lloyds Banking Group.