Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Data Security: The Currency of Business Success

Data Security: The Currency of Business Success. Start Building its Reserves Now!

Data Security: The Currency of Business Success. Start Building its Reserves Now!

We live in an age where technology is so easily accessible that data may be the most valuable currency that companies and individual consumers have to protect. Organized cybercrime is well-funded and has become increasingly sophisticated. According to the “2010 Identity Fraud Survey Report” by Javelin Strategy & Research, over 11 million adult consumers fell victim to identity fraud in 2009, up from nearly 10 million victimized in 2008.

Here are some of the most common fraud methods used by criminals to steal personal data today:

Chart of Most Common Fraud Methods

Source: © 2010 Javelin Strategy & Research “2010 Identity Fraud Survey Report”

Consumer-facing fraud (fraud that doesn’t include insider or employee fraud) costs retailers $100 billion a year, according to the “2009 LexisNexis True Cost of Fraud” study.

Companies need to evolve with the times. In this challenging economy, it is easy to make this a technology problem, and turn inwards to address the most burning topic at the moment. With this approach, companies get lost in the details, often missing the big picture and the opportunity to take a more holistic, business-minded approach to security. Companies should remember that compliance does not equal security! It is essential to step back and examine how to best meet business objectives, while taking into account the multifaceted environment that now encompases corporate risk. Every organization has the opportunity to examine internal processes and recognize the gaps in loss prevention (LP), information security, privacy, legal, business continuity, disaster recovery, and data security compliance.

If collecting and storing a particular data element puts your organization at risk because of the regulations that surround it, ask the tough questions:

Do we really need this data to conduct business?

Advertisement. Scroll to continue reading.

Is there an alternate approach we could take?

For sensitive data that is business-critical, ask to limit the amount kept on file and narrow the scope of those with access.

After due diligence, consider technology. By taking this approach, businesses are better positioned to leverage a common set of tools and processes across the organization rather than falling into the trap of pursuing different tools to address different security concerns. It is easy to end up with an infrastructure that is expensive, unmanageable, and less secure because of gaps in between processes and tools, which creates opportunities for compromised security.

Specific to the retail environment, merchants have to continuously re-examine their current security infrastructure and approach to protecting cardholder data. They understand that PCI DSS (Payment Card Industry Data Security Standard) compliance does not equal security and continue to build security into their business process. Specifically, merchants can significantly elevate their efforts in protecting sensitive cardholder’s data by accelerating their efforts and focus on three areas:

Point to Point Encryption – Addresses the issue of protecting data in flight.

• Current buzz word in the market because merchants are interested in reducing the “PCI in scope” components

• Encrypts the data at the device level; decrypts upstream (corporate headquarters; gateway; processor)

Tokenization – Addresses the issue of protecting data at rest.

• Replaces the credit card number with another value that is not derived from the card itself

• Typically happens post authorization, as part of that process

• Strategy for taking back-end systems “out of scope” for PCI

• Represents and opportunity for merchants to shift their risk to a third party

• Depending upon the tokenization scheme, the amount of re-work can be minimal for the merchant

• Allows merchants to continue to utilize their current business processes with minimal risk (returns; charge backs; analytics, etc.)

Chip and Pin

– Addresses the inherent flaws in the mag stripe card product

• Technology is 15 years old – debate is on if there is something newer to leapfrog this technology

• Based on a two factor authentication strategy – customer has something that is known (card with chip technology) and something that only they know (pin)

• Consumer will likely assume fraud liability in this scenario (brands/banks assume they have been negligent in protecting their pin)

– Does not negate the PCI DSS requirement to protect cardholder data

Companies need to be aware of all methods by which important data elements come into the organization, which systems are passed through, where the data is stored, and who can access it, and they need to have the appropriate controls in place to monitor and protect the data. Without a doubt, there is a significant technology component, but data security starts with business processes – if it doesn’t make sense at the business level, the culture will never change, and it will not be sustainable.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.