In today's information driven world, the single most serious threat that businesses are faced with is to their customers' information. The customer base of any business is the most critical asset that the business has, and this is true for almost any business. With risks like identity thefts increasing every day, the customers are more concerned now that ever for the information that they provide to businesses. Whether its credit card information that a buyer passes on to a retailer, or if its medical records that a patient they provides to his/her Doctor, they expect that the business would handle that information with utmost security and prevent any situation which would possible compromise the same.
The threat to safeguarding customers' information has multiple aspects to it ranging from secure transmission over a network to safe storage in a database. Businesses today are spending more money than ever to prevent hackers from getting hold of their customers' private information and misusing it. The reason for this threat being the most serious of all is that it has the most serious implications. A single report of customer data compromise at a company can result is that company losing its established customer base.
The strategies and policies that businesses can adopt to mitigate the risks from the above-mentioned threat may vary based on the type of information that the business deals with but the following set of practices can help any business deal with and control the threat:
Avoiding non electronic forms of collecting and storing customer data as much as possible - Although it's not feasible in all scenarios to completely eliminate paperwork, reducing it to minimum possible level helps prevent getting information into malicious hands.
Employing appropriate security measures for data exchange over Internet - Hacking information that is passed over the Internet is one of the most common ways of data compromise. This applies not only to online based retailers but also to businesses that exchange data over Internet for various purposes. Standards can be put in place for such information exchange that prevents the information from being sued by unauthorized personnel. These include data encryption using public and private keys and digital signatures.
Setting up strict policies on information access levels within the enterprise - In some cases customer data can get compromised by hands on the employees of the business, intentionally or unintentionally. A common example is handling of information by customer service representatives. To prevent the risks of authorized access, companies should adopt strict access control policies that define appropriate data access levels based on “roles”. Information should only be allowed to flow from a lower level security role to a higher level security role, and never in the reverse order.
Adopting appropriate data storage and backup measures - Apart from the threat that comes from hackers trying to access private information, things like disk crashes can also result in loss of data as well. To prevent such risks, companies should adopt appropriate data storage and backup measures. These include taking regular backups of data and having offsite backup location. Creating and maintaining BCP (Business Continuity Plan) is also part of ensuring data security.
The following references and incidents support my belief that the above described threat is the most serious of all, to today's businesses:
"Recent Security breaches - Class Action Lawsuit Alleges Palm Pre/Pixi Users Suffered from Data Loss", www.databreaches.net
“Recommended Practices on Notification of Security Breach Involving Personal Information,” from the California Office of Privacy Protection, www.privacy.ca.gov/recommendations/secbreach.pdf
“T-Mobile confirms biggest phone customer data breach” reported by the UK Guardian, http://www.guardian.co.uk/uk/2009/nov/17/t-mobile-phone-data-privacy
Report on “Customer Data Breach Costs” by Ecommerce Times, http://www.ecommercetimes.com/story/66055.html
“2008 Annual Study: Cost of a Data Breach”, http://www.encryptionreports.com/2008cdb.html
Security Breach Legislation available at http://www.ncsl.org/Default.aspx?TabId=13481
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment