Any company, regardless of its size, collects customer information as part of its business operations. Whether they accept orders or provide a service, organizations process sensitive customer data on a regular basis and, oftentimes, at a large scale. In recent years, the protection of customer information has been increasingly regulated, creating a new set of challenges for business owners.
Personally identifiable information (PII) that includes phone numbers, passports, and social security numbers falls under the incidence of data protection laws such as the EU’s General Data Protection Regulation (GDPR) or the California Privacy Rights Act (CPRA). Another type of customer data such as credit card information is protected under international standards like the Payment Card Industry Data Security Standard (PCI DSS).
Sensitive customer information is also the type of data most sought after by cybercriminals. According to the Cost of a Data Breach report 2020 released by IBM and the Ponemon Institute, customer PII was compromised in 80% of all data breaches, making it the type of record most often lost or stolen. Customer PII was also the costliest type of data compromised in a data breach, averaging $150/record.
Compromised customer data also lead to reputational damage, the worst consequence of which is lost business. In a 2020 report by PwC, 27% of survey respondents said they would stop doing business with a company if their data privacy or security had been compromised due to a security incident.
Taking all this into consideration, it’s clear it is in the best interest of each company to protect their customer information. Here are some of the steps organizations are taking to protect sensitive customer data against security breaches and data loss.
Basic cybersecurity measures
One of the easiest ways companies protect customer information is by adopting basic cybersecurity measures. These are usually aimed at protecting customers’ data from cyberattacks and include the implementation of antivirus and anti-malware solutions and firewalls, but also the enforcement of strong password policies.
Businesses can also require employees to change default passwords on all work devices and keep their operating systems and security software always up to date. In this way, malicious outsiders cannot exploit unpatched security vulnerabilities.
Protect customer information from insider threats
Cyberattacks and data breaches are not the only risks that customer information faces. Insider threats are also responsible for a big chunk of security incidents. The Ponemon Institute reports that human error accounts for 23% of all data breaches. Employees are responsible for 24% of malicious attacks as well, with 7% intentionally compromising sensitive data and a further 17% falling victims to phishing and social engineering attacks.
To avoid data exfiltration and loss, companies adopt Data Loss Prevention (DLP) solutions. Through DLP technology, organizations can define what sensitive data means to them in the context of their business and then control and monitor that data through policies. DLP tools help protect not only customers’ personal data but also intellectual property and financial data.
Using content inspection and contextual scanning, DLP solutions can search for sensitive information in hundreds of file types in real-time, whether it is in transit or stored locally on employees’ computers. Once identified, they can monitor sensitive data, block its transfer and encrypt or delete it when it is found in unauthorized locations. DLP tools also log any attempted policy violations and produce reports of all security incidents.
Some solutions, like Endpoint Protector, take things a step further by giving companies the possibility to mix and match DLP features based on business needs. This means that, besides providing highly effective policies for the protection of sensitive data at rest and in motion, organizations can add features such as device control that blocks or limits the use of USB, peripheral ports, and Bluetooth and enforced encryption that ensures that any data transferred onto USBs is encrypted.
Use encryption
Encryption is another effective way to safeguard customer information. By making hard drive encryption a requirement, companies ensure that in the eventuality that a work computer is lost or stolen, no one will have access to the data on it without a decryption key. Hard drive encryption is a cost-free solution most companies can easily apply as the most popular operating systems today carry their own native encryption tools: Windows has BitLocker and macOS, FileVault.
Limit access to customer information
Another way companies protect customer data is by limiting access to sensitive information. Companies first evaluate their employees’ responsibilities and see which require access to customer information to fulfill their duties. They then implement a unique ID credentials system and grant access rights to employees based on their job scope.
Train employees
Security measures are useless if employees are not aware of the risks customer information faces. A lack of awareness can lead them to disregard policies and circumvent measures put in place for data protection and compliance reasons to simplify their tasks.
To protect customer information, companies provide employees with training that aims to inform them of the importance of data protection and the consequences of a data breach but also educates them on how to handles attacks that target personnel directly such as phishing and social engineering.
By using DLP solutions’ monitoring capabilities, companies can also discover how data is being used and transferred by employees, helping them identify bad practices and employees that might require additional training.