As information technology continues to expand, threats and risks of potential harm such as security breaches also increase. Hackers will always try to infiltrate classified databases and steal confidential information that can immensely damage business operations. It is an event that, at all means, must be avoided. But how can you be sure that you have built a fortress that will be kept safe from cyber criminals? Quick answer is, check the quality of your IT security and compliance.

You can start by checking your compliance with Payment Card Industry Data Security Standard (PCI DSS) which is a reputable information security standard used to protect cardholder data and secure payment solutions. It is handled by major card schemes such as American Express, Discover, JCB, Mastercard, and Visa. To give you an overview, the goals for its standards (as stated in their official page) are:

1. Create and Sustain a Secure Network
2. Shield Cardholder Data from Cyber Invasion
3. Implement a Vulnerability Management Program
4. Install and Operate Strong Access Control Measures
5. Regularly Check and Run Tests on Networks
6. Formulate and Uphold an Information Security Policy

In a survey conducted in 2016 by Verizon as reported by Computer Weekly, only 29% of the respondents fully complied with PCI-DSS standards barely a year after they had received their compliance certification. This means that the other 71% are at high risks of compromising data and security. Loss of security management can lead to other negative effects such as potential loss of customers, loss of jobs, and even loss of business.

And while your business is industry-compliant, i.e following PCI, you must also understand the risks and add security measures to your business. Just to cite an example of risk despite PCI compliance is the massive data breach that occurred in 2013 when Target, a huge retail company in the US, had “stolen” 40 million debit and credit card numbers. This event prompted the exit of its then CEO, Gregg Steinhafel. He stated that Target complied with PCI standards; however, investigations revealed that its IT security team had failed to respond to the security breach alert which happened before the hacking initiated. The breach could’ve been prevented if only the proper monitoring and prompt actions have been carried out before it’s too late.

Besides industry-compliance, how else can you strengthen data security even more? One way would be through implementation of data transfer policies. Through this, cloud file sharing could be more secure and data theft could be reduced. This year, about 72% of the US IT teams are already utilizing definitive security measures to prevent “unsecure file transfer”.

This policy would also be helpful in managing risks brought about by the BYOD (Bring Your Own Device). It is common nowadays to allow employees to use their own gadgets such as smartphones while at work. While increasing employee productivity, this practice also exposes the company’s network to various hacking threats as each employee would be susceptible to conducting unsecure transactions for work or personal use. Therefore, strictly implementing a data transfer policy would undoubtedly become necessary.

For some guidelines regarding information security over BYOD, businesses can pick up some clues from the UK Information Commissioner’s Office (ICO) which has published a list of information security measures that can be adapted based on the business’ security needs. ICO summarizes them as user-friendly advice:

1. “Design and organize your security to fit the nature of the personal data you hold and the harm that may result from a security breach.
2. Be clear about who in your organization is responsible for ensuring information security;
3. Have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and
4. Be ready to respond to any breach of security swiftly and effectively.”

IT security and compliance is challenging as it requires intensive attention to detail, but strict adherence to it is without a doubt, a need to strive in the constantly progressing world of IT.

References:

2016 State of Data Security and Compliance

The Big Data Breaches of 2014

BYOD: Data Protection and Information Security Issues

Information Security: Principle 7

Maintaining Payment Security

MIssed Alarms and 40 Million Stolen Credit Card Numbers:  How Target Blew It

PCI Security

Risk Management of Enterprise Mobility Including Bring Your Own Device (BYOD)

Verizon PCI DSS report a wake-up call, says PCI Security Standards Council