5 Steps to Preventing a Data Breach

With more and more consumers using cards instead of cash to pay for their purchases, it's no surprise that retailers are adjusting their payment options to give their customers what they want. Brands are enabling e-payment options, both in store and online, where customers can pay for their merchandise with the swipe of a card and then be on their way.
 
However, with this increasing reliance on e-payments comes the growing threat of a potential data breach. We've all been witness to the major ramifications the recent Target, Michaels and Home Depot breaches have cause, ultimately leaving us to ponder the question, "How can retail brands give their customers the convenience of card and e-payments without putting their entire reputation at stake?"

Below are five steps retailers must take if they want to keep their customer's financial information safe from harm's way. These steps are also discussed in the recently published e-book, "Five Observations of Retail Data Breaches: Why Include Encryption?" available for download here.

1. Know Exactly Where Your Customer Information Is
   Most retail brands have customer data sitting in multiple locations, whether it be at the company's corporate offices or at a specific retail store location. Because of this, it is critical that retail brands know exactly where this sensitive data is residing as well as how it is being accessed, handled and—most importantly—how it is being secured. This is especially true when dealing with information as sensitive as financial data, which has the potential to do serious damage to customers.

2. Recognize that Data at Rest is Still Vulnerable
   Whether we like it or not, we've entered the age of BYOD. As a result, retail brands are putting private customer information on laptops, tablets and even phones in an effort to make their customers' lives a little bit easier. The problem here lies with what occurs when retailers forget about that data and a device is lost or stolen. Retail organizations of all sizes need to make sure that they are encrypting all data—including data at rest—if they want to guarantee that their customers' information is safe. If all data is encrypted, then a lost or stolen device won't be the be-all-end-all to the business.

3. Know Where Your Customer Data is Going
   As it's important to know where customer data resides, it is equally as important to know where it is going. If they want to be able to effectively react to potential threats, retail companies need to have a clear understanding of how their customer data is moving through its infrastructure. Thankfully, technologies like sniffers and network monitoring software can help retailers track where their customers information has been, where it's headed and—most importantly—if it was properly encrypted during its flight.

4. Partner with a Professional
   Retailers shouldn't have to worry about hackers or looming data security threats. By partnering with a data security vendor, they will be able to leave the managing of security infrastructure to the right professionals and focus on what's really important—selling merchandise and keeping their customers happy. A partner will not only monitor for current and emerging threats, but will also implement the most appropriate security measures to keep the business protected.

5. Put an Encryption Policy in Place
   By putting an encryption policy in place, retailers validate that the security customer data is a priority. A successful encryption policy is one that is mandatory yet manageable, allowing for changes or revisions to be made over the course of time. Role-based controls are another critical component where only specific individuals have the ability to control or access certain information. Routine and ongoing audits are also always recommended to ensure that a company's data security and encryption polices are constantly being enforced.

Unfortunately, data breaches are going to happen, whether we like it or not. However, with this upsurge in retail data breaches, an increased awareness around the importance of data security programs has also made its debut. IT decision-makers and high-level executives are recognizing the need for better security policies and strategies; it's time to evolve our thinking and better protect our customers' sensitive information.
 
Garry McCracken, CISSP is VP of technology for WinMagic.