Data Security Should Be in Everyone's Job Description
And while it might slow down the availability of the data by a few seconds, that's a small price to pay for the added level of protection, according to Loeser.
The PCI standards also mandate that companies only store payment card data when absolutely necessary for legal, regulatory, and business purposes, and then have a disposal procedure in place. Once cardholder data is no longer required, it must be securely deleted, the standards dictate.
Beyond that, it's also crucial for companies to segment data so that a breach in one file does not open other data streams, Loeser says. "You don't want one small breach resulting in a larger breach," with thieves taking information gained from one system to go elsewhere in the company records.
Experts also suggest that companies use Internet firewalls at all times, keep their operating systems and other business software up to date, and install and maintain antivirus and anti-spyware programs. Because many companies allow employees to use their own mobile devices, including smartphones, tablets, and laptops, for business, these devices should be protected in the same way.
"Many people are not securing their phones, not treating them like the powerful computers that they are," Velasquez says.
And like computers, mobile devices are continually at risk. In fact, Alcatel-Lucent's Motive Security Labs in February released figures showing that security threats to mobile devices rose 25 percent in 2014, following a 20 percent increase in 2013. It estimates that 16 million mobile devices worldwide were infected by malware that could be used by cyber-criminals for corporate espionage, information theft, denial of service attacks, and fraud.
"As a business, you want to limit some [company] apps and data so that employees can't access them from unsecured mobile devices," Ponemon says.
It's also crucial that companies limit data access to those employees who need it. "If you have sensitive customer information in your CRM system, you need to limit who it's available to," Siegel says. "The shipping department does not need access to credit card data."
"Make sure you have significant data logging in place, with alarms for when something happens out of the ordinary," Loeser adds, "so you can know when someone is doing something [with the data] that does not coincide with his job description."
This also addresses a major vulnerability that many companies today face—their contact center agents.
CONTACT CENTER CONTAMINATION
One of the first entry points for many hackers is the contact center, according to Siegel. "The contact center is a definite point of weakness," he states.
Each month, the typical midsized contact center could receive more than 1,000 fraudulent calls. In fact, one out of every 2,900 calls to the average financial institution's contact center is fraudulent, according to Greg Adams, vice president of product management at Pindrop Security, a provider of caller authentication and fraud detection technology for contact centers.
Fraudsters sometimes use interactive voice response (IVR) systems for surveillance and data-gathering as a precursor to phishing schemes with agents, who are unwittingly coaxed into giving out sensitive information to unauthorized callers.
In most cases, the call center agent is tricked by skilled fraudsters who use a variety of social engineering techniques to get her to break normal security procedures.
"Social engineering is a real problem," Loeser says. "The only real defense is proper training and protocols."
Training should also address the careless things that employees do on their own that could put customer data at risk.
"A lot of breaches start with negligent employees," Ponemon cautions. He calls these employees "the dangerous insiders," noting that many are "innocent people doing stupid things."
Siegel estimates that as many as 35 percent of data breaches have started with basic human error, such as sending an email with personal information to the wrong person or storing company files on laptops or tablets that were lost or stolen.
THE INSIDE JOB
Even worse than careless employees or outside hackers, though, are the contact center agents who knowingly engage in illegal activities, using their jobs to gain access to information that they can sell or use on their own.
The temptation is great. In a call center, customers willingly hand over credit card numbers, security codes, and expiration dates to agents. Agents could skim this information with a recording device or scribble it down on a note pad. Moreover, almost all call centers today use some kind of call recording software that is capable of capturing and storing all of this sensitive consumer data so it can be accessed later.
"A lot of companies have not paid attention to the fact that their employees could be the most dangerous people," warns Bruce Pollock, vice president of strategic growth and planning at West Interactive, a provider of contact center solutions. "Their own employees could be coming to work for them every day, stealing information, and selling it."
To help contact centers deal with this threat, call center technology can completely prevent skimming by agents. At the point in the transaction where the agent needs to collect the credit card information, systems can automatically pause recordings. With other solutions, the call can be transferred to an IVR system. Agent-assisted solutions can allow agents to collect credit card information without ever seeing or hearing it. The agent remains on the phone and customers enter their credit card information directly into the system using their phones' keypads. The standard dual-tone multifrequency tones are converted to monotones so the agent cannot recognize them and they cannot be recorded.
This tokenization process is very high on security experts' list of priorities. It's also a key component of the Eckoh CallGuard solution, sold in the United States by West Interactive. CallGuard can remove credit card information, Social Security numbers, birth dates, account numbers, private healthcare information, or any other sensitive numeric data from all areas of the contact center.
"When the customer goes to key in his credit card number, the audio tones are muted so the agent can't copy the number and use it," Pollock explains. "The information is keyed in automatically, and all the agent sees on the screen is a number of Xs. The Web screen masks the digits."
In this environment, contact center managers and other employees need to be trained to spot at-risk employee behaviors. Training alone, though, is not enough. Ponemon and others stress that in today's high-risk cyber-business arena, employees need to know that there will be serious repercussions for violations of company practices and security protocols.
Companies need to have a clearly defined formal policy "so that employees know if they violate it, there are consequences that they will have to face," Siegel says.
Data security, therefore, has to be a business-wide endeavor. IT professionals, company executives, and employees at every level must work together to protect critical data assets from internal and external threats. Companies need to foster a security-aware culture in which protecting data is a normal and natural part of everyone's job.
Data security is also a constant game of what-ifs. The only certainty is that cyber-criminals will never stop learning and sharing information that will help them get into high-profile targets. They will never stop trying to break into corporate databases; the information is just too valuable on the black market.
"You need to understand that hacking is a crime of opportunity," Loeser says.
The key (pun intended) is making sure that you're not leaving the front door open for hackers to get in.
Editor's Note: Part 2 of this series, which will look at multifactor authentication as a way to protect consumer information, will appear in the June issue of CRM.
News Editor Leonard Klie can be reached atlklie@infotoday.com.