Skip to main content
IMA Executive News & Views Blog

Protecting customer data: Risks, requirements, and how to keep your company secure

by Angela Appleby

Plante & Moran, PLLC is an IMA Member

In recent years, technology such as social media, analytics, and cloud computing have offered businesses many more opportunities to promote, grow, and improve. However, with these new opportunities come added concerns.

One area in which this is especially true is personal data. Companies in virtually every industry are now data aggregators, meaning that they collect and store data on customers, clients, patients, employees, and others. At the same time, a whole new business model has been created by data management, processing, and storage companies. Data is extremely valuable to the companies that have it — and to fraudulent third parties that can sell it.

Technology has rendered this data more accessible, and thus more vulnerable, resulting in the regulation of personal information on state, federal, and international levels. Companies can take steps to secure their data, but they need to know what real security looks like and how to avoid potential pitfalls.

Difficult lessons learned

The well-publicized Target and Home Depot data breaches were large-scale examples of what can happen to any company that isn’t careful with its data. In a breach of Target’s data, more than 40 million customers’ credit and debit cards were affected, which costed the company more than $148 million. In this case, the theft occurred via a stolen third-party HVAC vendor account (an important caution to businesses that use security-weak vendors). In a breach of Home Depot’s data, more than 56 million credit cards were affected, which costed the company an estimated $62 million. Of course, these numbers don’t reflect the significant damage to the reputation of each company.

The same thing can happen on a smaller scale. Small businesses suffer 98 percent of data compromises, and 50 percent of U.S. small businesses have been victims of cyberattacks.4 The average cost of a breach in 2014 was $3.5 million per breach incident, a 15 percent increase from the previous year.5 With the amount of digital content continuing to expand, the potential for future breaches is growing as well.

PCI DSS audit

To protect customers’ credit card data, the Payment Card Industry (PCI), which was formed by major credit card brands, has created a set of 12 requirements, known as the Data Security Standard (DSS), with which all companies that process, transmit, or store credit card data must comply. These standards focus on areas such as network security, vulnerability management programs, control measures, and monitoring and testing for security. Smaller companies may validate compliance internally, but larger companies must hire a Qualified Security Assessor (QSA) to perform the validation. Noncompliance can result in heavy fines and even the loss of ability to accept credit cards.

The requirements are updated every three years. As of January 2015, version 3.0 became mandatory. This version will include the same 12 requirements but will provide clarification and further guidance, as well as several new subrequirements, related to emerging threats and market changes.

There are many, at times too many, compliance initiatives around security driven by different industry segments and markets, and most companies don’t know where to start. Such initiatives that companies may pursue include becoming ISO 27001 certified or obtaining a Service Organization Control (SOC) report over security, availability, confidentiality, processing integrity, or privacy. Others include, HIPAA, NIST 800-53, the Cloud Security Alliance compliance, and many more. Regardless of the direction the business takes, being compliant doesn’t mean that business is secure.

Compliance versus security

A business that passes a PCI DSS or SOC audit with flying colors may still be vulnerable to a security breach. These audits reveal only minimum security requirements and are focused more on protecting customer data than protecting the company. (For example, a company’s separate internal network might not be included in the audit if customer data is stored in a separate segmented network.) In addition, these audits, as in the case of the Target breach, do not heavily cover third-party vendors that could put companies at risk.

Businesses should also consider their legal position in the event of a breach and understand that compliance with PCI DSS or SOC requirements might not necessarily strengthen it. Local law takes precedence over data security requirements and regulation, which is a significant issue for companies working with internationally based vendors and buyers.

True security

To be truly secure, businesses must start by covering the basics, including network security, best practices, hardening guidelines, and internal network security assessments.

Because a good part of security risk occurs with end users, companies can further protect themselves by providing security awareness training and policies for all staff members and additional training for IT staff.

Businesses should also activate strong MSAs and SLAs with known IT security requirements and request independent audits for third-party providers.

Finally, companies should regularly review the 20 principles for IT security developed by the SANS Institute. These principles include ensuring secure configurations on all devices, defending against malware, conducting security skills assessment and training; maintaining audit logs, and ensuring secure network engineering.

Steps to security

In today’s technology-driven business world, data security is something no company can afford to ignore. Keep in mind the following principles and guidelines when considering your company’s data security:

  1. If you store or transmit sensitive data, you’re at risk.
  2. A single breach can cost considerable time, money, and damage to your company’s reputation.
  3. You may be required to comply with PCI DSS requirements, but doing so doesn’t necessarily ensure your business is secure.
  4. Start with the basics for network security.
  5. Provide security best-practice/awareness training for IT staff and all staff members.
  6. Consider the risks posed by third-party vendors and take steps to neutralize them.
  7. Familiarize yourself with the SANS Institute principles.

To view the original article, click here.