Loss of confidence in online transactions and data held on individuals is amongst the greatest potential risks facing any on line retailer, financial institution or public facing body.
Headlines abound on data losses from banks, social websites and health providers. Each breach represents a significant blow to the reputation of the business suffering it and in some cases can lead to total failure of the business.
The UK ICO (Information Commissioners Office) recorded 1,707 data incidents and enforcement cases in 2014/15* with over 200,000 concerns raised by members of the public.
Levels of concern over data security amongst the UK public are high and increasing year on year. Data security is a key part of the trust required for successful business to consumer sales to thrive.
So, what are the problems?
At the most basic level almost all of us has browsed for a product online and bought a product either online or over the phone. It is a convenient and efficient way to buy and general levels of satisfaction with purchases are good.
Then a few days later e mails, text messages or calls start to come in.
That’s quite normal, we gave our e mail address and phone number as part of the first transaction, but forgot to tick the boxes declining us being contacted in the future. All very familiar and part of everyday life, but it makes you think.
“What information is held about me on line?”
“Who has access to it?”
“What can they do with it”?
It may dawn on us that online details don’t just include personal information like name, address, e-mail and phone numbers; they’ve got my card details!
Usually there’s no need to panic as you bought from a reputable company which follows the rules. But, if you’re just a tad paranoid you might wonder about the nice young person you read all your card details to on the phone. They sounded very efficient and polite. They even repeated all your card details back to you to make sure they were correct and the transaction went smoothly.
What if they wrote your details down or recorded them onto a phone? They have enough information to go on a wild shopping spree. However, this scenario is very unlikely. Consumer card detail is generally entered directly to the company’s payment system and disappears from the agent’s screen before the call ends.
Precautions ensure agents don’t or can’t copy card details. CCTV monitoring, access controlled rooms and clear desks without pens, pads or phones are all effective in reducing the opportunities should someone be tempted.
Physical security measures reduce opportunities for fraud and the vast majority of people are basically honest. However systems aren’t fool proof and can engender an element of distrust of the retailer amongst consumers. So a stronger solution is desirable both from the retailer’s point of view and that of the consumer.
Some systems mute the incoming call whilst the consumer number is read out or the agent goes off the line whilst card details are entered from the phone keypad. These measures help, but more effective systems are available to give both consumers and the data processors confidence in the secrecy of a transaction.
Hopefully your card details won’t be used by that nice young person to buy a Ferrari, and if it was it would be very obvious who did it. Personal and card details are held in retailer databases, which if not well protected is a like an unlocked filing cabinet. Restricting access by staff is simply a matter of setting up the right security and access settings.
That doesn’t stop data being stolen by a third party, the incentives for hackers to obtain even partial card data are significant and much more lucrative if you can grab a large quantity of card and personal data. Criminal gangs are reputed to offer between $10 and $50 per card. The rewards for a hacker can easily outstrip simple theft and illicit use of a single card.
Firewalls and encryption of data are standard protection methods, but security breaches do occur and threats do not become apparent until they have had an impact, which is simply too late.
Retailers and data holders who work to PCI DSS (Payment Card Industry Data Security Standard) and adopt security management systems such as ISO 27001 have protocols in place to reduce vulnerabilities and encourage best practice. They restrict access, separating data from the operating network environment, changing firewall rules on a regular basis and encrypting any personal data.
These are the minimum standards and precautions a business processing and holding personal and card data should have in place. Managing how these are applied is a challenge helped by adopting a culture of improvement and responsibility. A management system which measures performance against targets and is regularly audited to test effectiveness is recognised as a valuable tool in managing data security activities.
It is a widely held belief that standards such as PCI DSS, ISO 9001 and ISO 27001 are simply badges that companies gather to show the world they have passed an audit. This may be true in many cases and where it is the companies and their consumers do not benefit from such “badges”.
The trick is to adopt the management system modelled in the standards to meet the requirements of the whole business. Consumers want the confidence they are buying a good product from a reputable provider. They also need the assurance that their data will be held and processed in a secure environment.
Forward-thinking businesses are adopting integrated management systems incorporating the requirements of ISO 9001 for service quality and ISO 27001 with PCI DSS for security to help improve overall levels of performance.
By adopting this approach they not only manage their consumer or supplier relationships they take account of their security needs within these relationships.
Operational practices are planned to be both effective and secure, whilst protocols to protect data are incorporated as part of normal business operations.
The overarching principles of continual improvement through the action cycle of “Plan, Do, Check, Act” become second nature with the net result of consumer relationships improving over time whilst security risks are reduced.
An effective management system improves performance over time and manages how shortfalls are investigated and dealt with. Risks are identified before they have an impact and plans to address them managed and monitored with measurements of the degree of success being used to make further improvements.
So whilst systems and protocols are both useful and necessary, managing their effectiveness through a business improvement system makes them work harder to benefit the business and in turn boost reputation amongst consumers.
What are the risks to a business if security is breached?
Penalties for data breaches by data processors and holders are significant. The ICO in UK imposes legal penalties for breaches. However, the damage to reputation is immeasurable and most businesses would find it difficult to continue were they to suffer any breach of personal records.
The most infamous recent example is the Ashley Maddison married person’s dating website based in Canada. Up to 37 million personal account records are said to have been “harvested” leading to enormous potential for not only data use but for good old fashioned blackmail. The impact on the business which had just been attempting to raise $200million of new capital has been cataclysmic.
Companies and public bodies are well aware of their responsibilities and take them seriously, but compliance is something that often gets put aside as a separate entity in the business. Compliance should be at the center of any data handler’s management systems. It needs to be integrated throughout the business with a culture adopted across all functions. That’s where integrated management systems come into play.
*ICO Annual Report 2014/2015