The c-words that curse data breaches

Summary:Behind every security failing are the same recurring themes that companies large and small need to address, says Alan Calder

It's astonishing how often the same failings crop up in the context of data breaches. So what's at the root of the problem, asks Alan Calder.

In terms of data security, you might think that cyberattack is the dominant threat. But a bigger problem can permeate an entire organisation long before an attack begins: complacency.

C-words seem to abound in the spate of successful cyberattacks this year. Credit cards. Compromise. Crime. Crisis. Compensation. However, words such as caution and compliance are sadly absent from the list.

How can any company possibly allow customers' personal data — from names and addresses to credit card numbers — to be compromised in a security breach? Any answer must surely begin with complacency.

Why are companies storing credit card numbers anyway? The Payment Card Industry Data Security Standard (PCI DSS) requires that payment card numbers are never stored without a good business reason, and even then must be hashed in the database to be unreadable.

Pressured into PCI DSS compliance

Any organisation that processes, transmits or stores payment card data must comply with the PCI DSS. So what has been going wrong? Every day, we see small e-commerce businesses with tight budgets being pressured into PCI DSS compliance by their acquiring banks — the financial institutions that accept credit-card payments for a merchant.

Do some businesses consider themselves too big to worry about complying? There is no justification for ignoring the PCI DSS and there are no excuses for failing to train staff.

However, even a standard as rigorous as PCI DSS only offers limited protection in isolation. Effective security depends on establishing a comprehensive and interconnected defence strategy.

A good place to start is the ISO27001 security management standard, which complements PCI DSS. The standard represents international best practice for any organisation seeking a structured framework to address cyber risks. Any organisation that handles customers' personal data, but is not compliant with ISO27001, is displaying overt negligence.

No business operates in isolation. Other companies will scrutinise your processes too.

However, every organisation should remember that ISO27001 certification, like PCI DSS compliance, does not equate to invincible security. ISO27001 is simply a management system that, effectively deployed, improves an organisation's information security and resilience. New threats are constantly evolving. So defences need to constantly evolve too. There is no room for complacency.

Risks of ignoring security frameworks

Equally, do not make the mistake of assuming your company is too small to find any value in an ISO27001-compliant structured framework, or that you can justifiably make a management decision to take the risk and suffer the consequences.

No business operates in isolation. Other companies will scrutinise your processes too. Enlightened organisations will want to...

Topics: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.