By Michael Zhou
You never cease to hear about the common threats to doing business in a digital world: spammy emails, viruses, malware posing as harmless documents, spyware, ransomware, extortion emails from hackers, and the lot. No wonder several organizations have committed the blunder of only focusing inward – particularly issues associated traffic and data within their own networks. It is what goes on outside of their organizations where the grim picture of customer data security and privacy comes to the fore, and gives sleepless nights to CIOs.
We intend this guide to be an actionable, insightful, and value adding resource book for data security officers to review, plan, and improve their companies’ customer privacy readiness.
1- Secure, Safe, and Reliable Web and Data Hosting
More than 80% of websites with malicious content are actually victims of cybercriminals who infect their infrastructure, and make them potential hotbeds of data theft activity. Whether you’re a business with a portfolio website, or a dedicated online retailer with ecommerce portals, the choice of a secure web host is imperative towards the aim of uncompromised customer privacy.
Question your prospective (or existing) web host on their security policy, and check whether routine hygiene checks such as malware scans, traffic monitoring and Do’s (Denial of Service) mitigation are in place. Discuss the data loss and data breach policies of the web host, and analyze their disaster management plan. What are the SLAs on response times in case of data breaches? How secure is the server platform your Content Management System will be built on?
If you conduct any ecommerce activity on your portal, all transactions and communications need to be secured through Secure Socket Layer (SSL) or its successor, Transport Layer Security (TLS) encryption. “You can also apply additional measures to further optimize SSL/TLS communication, such as deploying a CDN to bolster your SSL/TLS implementation . This will speed up your SSL connection times and also auto-upgrade your certificate to an A+ grade, which can be especially helpful if you are using a self-signed certificate.
CDNs also combo well with Let’s Encrypt, an automated and open platform that allows you to easily create a free TLS certificate. With both CDN service and the certificate provided for free, you have no good excuse for not using TLS on your site.
2 –Secure At Rest Data with Secure Database Deployment
The security of data at rest is among the most critical aspects of complete data privacy of customers. Here are a few questions and check points that you need to be wary of, whether your RDBMS is hosted on SQL server, Sybase Adaptive Server, or Oracle 8i.
- What are the specifics of the data recovery policy?
- What review procedures are in place to effectively track unauthorized database accesses and modifications?
- Are certification and verification procedures and protocols such as Windows Authentication in place for the RDBMS? What access control policies are in place?
- Are the controls of data flow between test and production databases stringent enough?
- How often is the database backed up?
- Is there a database security agent in place?
3- Follow Compliance With Standards
Ensuring compliance with major generic security protocols and standards, and few industry and business specific audits is not the easiest of tasks for an organization.
- PCI DSS (Payment Card Industry-Data Security Standards Compliance Report). Compliance with PCI DSS is imperative for any organization that transmits, stores, or processes data pertaining to credit cards and debit cards of consumers.
- FISMA (Federal Information Security Management Act Compliance Report). Agencies and contractors that exchange any data with government owned systems need to comply with FISMA guidelines; this involves diligent auditing focused on mitigation of critical data security risks.
- HIPAA (Health Insurance Portability and Accountability Act Compliance Report). HIPPA compliance reports secure important health and medical data transacted among medical institutions, preventing unauthorized access to confidential medical information.
4- DLPs – A Way Forward for Organizations Handling Massive Data
Data theft has grown at over 600% in the past 3 years, and FBI and Computer Security Institute are constantly making statements about the need for organizations to protect leak of financial, nonpublic, and propriety information. Customer privacy policies have become the bare minimum in a world where data theft and privacy breaches have already started resulting in multi-million dollar losses and lawsuits for organizations.
This is where Data Loss Prevention platforms (DLPs) and rule based monitoring and tracking of data flow has benefits to offer. Organizations can detect loopholes in their data protection infrastructures, and can avoid lethal risks of accidental financial information disclosures and deliberate internal data theft attempts by implementing DLPs.
We hope this guide serves technology and data security stakeholders in your companies in ramping up customer privacy and data security measures. Remember that any security implementation is only as strong as the weakest link. This means that any organization should ensure top-tier security across all assets, and involving all stakeholders. Thus, whether it’s your infrastructure, employees or security contractors, it pays to be on top of everything, in order to ensure the privacy and integrity of customer data.
Michael Zhou is the Senior VP of Business Intelligence Development. With his expertise in web domain as a whole, he has assisted Fortune 1000 companies for their marketing efforts. A thinker, web developer and marketing enthusiast, he aims to assist small businesses to make a lasting impression in the industry. He seeks to tap the potential of companies in realizing their dreams to benefit both the vendor and the consumer.