Some of the biggest data security breaches in recent years were possible because of remarkably simple oversights. Data thieves for the most part, don’t resort to extremely sophisticated means and rooms full of highly experienced hackers using powerful computers. Rather, they rely on simple and obvious mistakes and sloppy (or nonexistent) compliance.
[ Want to learn more about PCI Compliance? Read 'An Introduction to becoming PCI DSS Compliant' White Paper, PDF ]
Data thieves are more than anything, opportunistic. Though they may certainly target individual companies, more often, they simply take advantage of a situation when it arises. Such was the case with the Bank of New York Mellon, which in 2008 shipped ten unencrypted backup tapes to a storage facility, and lost one somewhere en route. A similar loss occurred in 2007 when HM Revenue & Customs lost two computer discs in the mail, which contained personal information on 25 million British citizens.
A common mistake that even large companies make is to think of data thieves as being secretive mobsters working from untouchable locations in Eastern Europe, when in fact, they are just as likely to be just down the hall. Certegy Check Services, in 2007, discovered that an employee had been stealing customer records and selling them, a breach that affected 8.5 million customers and resulted in US$1 million in donations and court costs.
[ Need help with choosing the right partners for PCI compliance? Read 'How to take the pain out of the PCI process' White Paper, PDF ]
By now, everybody knows about the PCI standard, promoted by the credit card industry. A basic set of 12 best practices, it is a useful guideline to understanding how to protect customer data. Following the basic instruction of encrypting credit card data, and only storing it when essential to business, would avoid a lot of heartache.
But as frequently happens in the business world, once a company does what some outside organisation tells it to do, they get complacent. After ensuring that you are PCI compliant, don’t stop there! Keeping the security director and the compliance officer busy isn’t such a bad thing, and these days, the compliance officer has a good deal of job security. After PCI DSS compliance, there are two other things to consider: ISO27001, and BS25999. Yes, that’s right, more number-letter combinations that will cost you money. But, a little money spent being proactive is usually cheaper than the money that would be lost should a breach actually occur.
The ISO27001 security management standard, as well as the British standard BS25999, pick up where PCI DSS leaves off, adding an extra layer of defence. No matter how many compliance standard one implements however, there is still a risk factor, and no system is absolutely impenetrable. Even a system that is completely walled off can be penetrated by an insider. Somewhere, somebody has to have access, and the first rule of information security is: “Trust no one.” Security is not a static function, and a company’s risk profile is constantly changing. New attacks are being created every day, new procedures are put in place, and new personnel are always coming on board. Never let your guard down.