Our entire economy seems to run on data these days. Business processes are now not just computerised, but frequently generate extremely detailed information that is retained for many years. Businesses (and some government departments) don’t just have customer data – they have extremely detailed activity trails and profiles for customers.
Computer security experts have pointed out for many years that organised crime rings are now routinely involved in corporate data theft. The reality of the threat should be taken seriously by all organisations. This report into the cybercrime incidents reported to law enforcement by large corporates and government agencies makes interesting reading.
Many business leaders are happy to delegate data security to their IT department, and tick a compliance box when a monthly report is produced. In my opinion, this is a recipe for disaster.
Security and respect for client privacy are not technology widgets that can be purchased. They require active engagement and participation from all parts of the organisation – especially leaders. When that doesn’t happen, you have incidents like the UK government department that lost comprehensive data covering the personal lives of 25 million citizens.
Now the many, many incidents of data loss involving credit cards have actually resulted in changes to regulations, and improved industry practices. The PCI standards provide a simple foundation for businesses handling credit card transactions – not just online, but whenever the data is handled electronically within the business. As you can see in this simple guide to PCI, there are rather straight forward steps outlined to achieve compliance. PCI should really just be regarded as a baseline, not a magic bullet.
Measures to achieve regulatory compliance are already a fact of life for executives running large organisations. Ticking boxes simply isn’t good enough.
In a classic case of blaming the victim, the last week has seen journalists around the world scrambling to blame Sony (the victim) for the consequences of a series of criminal attacks. The most recent (known) attack resulted in Sony shutting down a series of widely used online services, and the apparent theft of customer data. For many in the media, the criminal investigation and the crime are not the focus – the story is all about trust and corporate communications. Sony’s level of PCI compliance just doesn’t seem to be of interest to journalists.
If you want to limit damage from data loss, you need to put in place risk management measures that involve the entire organisation, and develop crisis management strategies – before problems hit.