Do you know where your company’s crown jewels are? Comparing customer data to the crown jewels is obviously an appropriate analogy if you consider the history of the jewels.
The crown jewels represent the wealth of the monarchy, and in times gone by, a measure of fiscal reserve. England kept its Crown Jewels in Westminster Abbey until the early fourteenth century, and then were were moved to the Jewel House within the Tower of London. The most recent (publicly acknowledged) attempt to steal the Jewels occurred in the seventeenth century.
Not many companies have the luxury of a Beefeater or two guarding their precious data, but it’s still possible to successfully protect the information.
Where Is My Customer Data?
This is the linchpin question. Security architecture is a pivotal investment for every company dealing with customer data. Architectural design for securing the data sets must come on the front end and then build to design. The design should fall into three categories: When the customer is engaged with their data, when the company is engaged with the customer's data, and when the data is at rest.
Keeping the Customer's Engagement Secure
The Heartbleed and Shellshock vulnerabilities drove home the point of staying on top of the systems used to engage customers, be that via a web browser or point of sale (POS) terminal. On the customer experience side, the key is to reduce friction and ensure that access is permitted only after appropriate authentication. A key strategic exercise before the first customer is engaged is to map the path that customer-provided data takes through your systems. The mapping must include the state (clear text or encrypted), the pipe (secure or open), and the destination protocols (authentication).
Once the data is within your company's control, the company (and its vendor partners) are the custodians. To determine whether the data security architecture includes protecting the data from prying eyes, answer one question: If curious employees or vendors wished to look into the process through their natural access to the infrastructure, would they be able to exploit or remove sensitive data? If the answer is yes, then there is opportunity to make adjustments to bring the answer closer to "no."
The health and financial sectors are two examples of where it is not uncommon for many employee/vendor processes to have access to sensitive customer data. Both of these sectors have regulators and compliance requirements which must be addressed.
Companies that operate in non-regulated sectors should avail themselves to the rationale behind the regulatory requirements concerning customer or patient data handling requirements, and then juxtapose them to their own company's situation.
Customer data is truly the life's blood of every company. If you lose or compromise your customer data, then you risk losing your customer. Review the checks and balances in place to ensure the data is being appropriately stored, maintained, and accessed. This may include audit trails, anomaly alarms, or two-person authentication.