Strong cybersecurity goes without question
By John Shin, Managing Direction, RSI Security
Protecting customer data is closely related to delivering satisfying customer experience.
An enjoyable meal in a beautiful restaurant actually isn’t very enjoyable at all if you catch the waiter writing down your credit card number. Customers spending money on a product usually don’t think about what might or might not happen to the data they emit about themselves online. From our physical demographics to our geographic location, whether broadcast implicitly or explicitly, social media and other app functionality gather and store useful data points about our lives.
Small details gathered in the present can coalesce down the road to form a much fuller picture of who we are. That’s why the most effective businesses take cybersecurity seriously, especially when it comes to keeping customer data under proper lock and key. Data breaches of an e-commerce store’s credit and debit transaction information can not only be expensive for the exposed victims, but the breached business often finds itself on the line to pay for potential damages. These incidents aren’t only hard on the pocket book, but hard on a company’s public perception at the same time.
While every internet-using adult in 2019 should have some solid cybersecurity fundamentals (not using the same password everywhere, for example), it’s rather easy for business organizations that consist of many smart people to miss the boat on cybersecurity. They might make the mistake of not considering cybersecurity threats seriously enough (“We don’t need to worry about that!”), or the organization may be of sufficient size that everyone thinks cybersecurity is someone else’s job.
This ignorance or shortsightedness means that companies regardless of size or expertise alike have had to deal with the expensive, embarrassing ramifications, from the smallest startups to the largest global corporations, companies at every stage in the game have had to deal with the expensive, embarrassing ramifications of losing customer data like credit card numbers. But pairing education with action can right the ship.
Companies implementing compliant hardware and practices will enjoy significantly increased confidence and certainty operating on the internet with bad guys on it. Discerning customers asking these companies about their data processing standards will learn that they’ve taken care and consideration to handle customer data mindfully.
Use a private network or cloud-based system.
This is where the rubber meets the road on taking certain base-level steps that many cybersecurity newbies simply don’t know to implement. How is data handled on your network? What kind of network is it exactly? Does everyone connect to share workspace using a virtual private network? Do you depend on a cloud-based system’s off-the-shelf solution?
Encrypt the data so it’s unreadable to cybercriminals.
Just like you might install a strong lock on the front door in a tough neighborhood, you should take steps to obscure the state of your network data as it pertains to your business. Encryption makes it easy for you to read and access your own data, but prohibitively difficult for other people to do the same.
Breaking encryption is a much more complex matter than simply gaining illegal access to a private computer system. You can probably use a feature in a product you already depend on to enable a high degree of encryption that renders stolen information unreadable.
Ensure Payment Card Industry (PCI) security compliance across your network and card payment devices.
With major credit card companies processing thousands of transactions per second, you don’t actually want to be a credit card cybersecurity trailblazer. There are reliable, well-documented guidelines already out there on how to establish certain cybersecurity thresholds. If your business handles credit card transactions, for example, then you need to chase PCI compliance.
It is probably easier to achieve PCI compliance than you think. A PCI audit, whether a casual self-assessment or formal, paid audit conducted by a third-party assessor, will provide you the actionable feedback you need to become compliant.
In many instances, you may lean on the PCI compliance already afforded by certain products on the market. It’s just a matter of combining approved hardware and approved software to work together.
Educate the staff on cybersecurity and compliance.
Companies become what they focus on. Make niche topics about data management and security practices part of the everyday work conversation if you want it to be part of your employees’ thought process. As newer workers learn what colleagues focus on several rungs up the ladder, this eventually becomes their focus as well.
Make it a point of culture that your company talks openly about cybersecurity issues, especially as they pertain to the company’s success continued operation. This kind of rubbing people’s minds in it in the long term will build awareness and working knowledge of the subject matter that will surely serve them whether or not their jobs are connected to handling data.
There’s no better pushback against fraud than an educated staff. Make sure your people know their stuff.
If you process cards in person, go for EMV readers instead of Magstripe.
EMV payments are those that process a computer chip stored to one end of a credit card in order to execute, and they are a far more secure and valid way to pay than by conventional swipe of a magnetic strip. (Such casual swiping is exactly what scammers depend on in order to get a successful “skim.”)
EMV payment technology makes it much harder for bad guys to steal cardholder information. These “chip cards” contain an embedded microchip and are automatically authenticated with a personal identification number entered during a transaction. This category of card payment may add time to the total transaction process, but they operate on a paradigm significantly secure than magstripe.
There are other tactics available for companies specifically seeking to improve their credit card cybersecurity. They might truncate card data in their records to the point that transactions could be sufficiently identifiable for customer service purposes without retaining enough information to be a liability (like complete credit card numbers instead of portions).
While the road to bulletproof cybersecurity is long and can be especially complex, depending on the industry an organization operates within, but it’s always a good idea to be invested in and up-to-date on the state of your cybersecurity. Moving information around online already enables wonderful things for today’s consumers, but the underlying cybersecurity involved in doing so should be a point of pride, not something for a cost-cutting company to overlook.
If the ideal customer experience is the question here, then strong cybersecurity goes without question.
How can a company hope to serve a customer if it can’t even keep its payment processing operations PCI compliant?
About the Author
My Name is John Shin and I am the managing director at RSI Security. He has 18 years of leadership, management and Information Technology experience. He is a Certified Information Systems Security Professional, CISM, and Project Management Professional (PMP). He is the principal author on multiple Internet privacy and security technology papers such as the Dominant Cyber Offensive Engagement and Supporting Technology and Reconnaissance & Data Exfiltration for U.S. Air Force Research Laboratory.
Mr. Shin has 18 years of leadership, management and Information Technology experience. His area of expertise is IT security and technology management. He was responsible for external customer information systems as well as the global infrastructure operations at Abraxas Corporation, a risk mitigation technology company solely focused on the National Security Community.
Mr. Shin also worked in several management positions for Genoptix Inc. (Nasdaq: GXDX) in IT/Bioinformatics division. During his tenure at SunGard, Mr. Shin operated as an operations engineer responsible for mission-critical Infrastructure and ISO-compliance system processes. John can be reached online at https://www.linkedin.com/in/john-s-504a02140/ and at our company website https://rsisecurity.com/.