Home > CTO, eCommerce > Data Security 2010: Lessons learned from 2009 and how to move your Internet Retail business into the future

Data Security 2010: Lessons learned from 2009 and how to move your Internet Retail business into the future

Data Security has been top of our minds at Ignify. We spent over 18 months strengthening the security for Ignify eCommerce including taking it through its PCI compliance. I am glad to report that the PCI Standards Council passed Ignify eCommerce on the PA DSS II standard and makes us the only eCommerce platform that offers integration with mid-market ERPs to have achieved that. Based on my experiences in leading this effort – I came up with some trends and tips that can help you and any business that is looking or is selling online. Some background first – per the DataBreaches website,  2009 has been the first year that the number of data breach incidents recorded has actually dropped, since 2005. If that makes you feel a little more secure – there is a counter side. The same site reports on personal records that have been exposed – 220 million records in 2009 as compared with 35 million in 2008.

There are two important trends to note here. The first – Technology advancements (and simplifications) have made breaches increasingly difficult. Second – The people side of the equation; where small entry errors have lead to large scale breaches sometimes becoming more difficult to manage than technology issues. The fact is that there are people involved with keeping information secure. It is extremely critical that processes such as implementing an immediate access termination when employees leave an organization, are well oiled and working at all times.

My prediction is that 2010 will see more breaches due to human errors rather than technology errors. For example, there have been 11 breaches reported on privacyrights.org in November 2009. Out of these 8 breaches are human errors while 3 are technical holes or hacks. 

With a poor economic state and online shopping becoming a necessary tool for tough times, merchant readiness for handling confidential data both on the technology and people front is critical for a successful online presence. As the New Year approaches, it is important to review the lessons learned from the past year and reflect how we can use past trends to correct and innovate data security in 2010.

What have we learned in the past year?

Lesson 1: Be ready to handle confidential data before you turn on the switch

The healthcare industry was attacked with a flurry of data breaches in 2009. Most recently and noticeably in August, Anthem Blue Cross and Blue Shield of California was involved in a data breech of more than 850,000 physicians throughout the United States including critical personal information such as; Social Security, taxpayer ID, and NPI numbers, may have been compromised when a laptop containing sensitive data was stolen in Chicago.

What can we learn from this very basic case of information theft? Anthem and Blue Shield were not prepared to handle confidential data. Carrying secure data on physical media has specialized security needs and merchants should have those processes well tied together. At times, it boils down to simple processes that include how authorization and communication is carried out in an organization.

Technology has matured thanks to collective learning becoming a part of the technology itself; but organizations do not assimilate best practices at the same pace – people unfortunately make mistakes and security mistakes can be fatal to your business.

Once the switch is turned on and systems start humming, there is a human tendency to start focusing on day to day operational issues and data security begins to take a back seat. As a merchant, it’s important that you have your people related systems in place to conduct regular audits and trainings to keep data security in the front. Does it have to be expensive – No – Simple devices such as funny posters on the wall or creative emails do a great job of reminding everyone of the threat.

Lesson 2: Think about Data Security upfront while working on your online initiatives

Whether you are working with a vendor or in-house staff, ensure that you have proven expertise on board. With a vendor this could mean checking if their systems have necessary security certifications. As an example – PCI PA Certification applies to all software vendors handling card data in any form or fashion and the certification body has published information of certified software for public access. For in-house staff, there are a couple of options – SSCP certifications for network administrators and CSSLP certifications for developers.

Using these public initiatives – you can learn about data security and make decisions that have the data security green light.

Lesson 3: If you are an eCommerce merchant, get PCI certified

PCI over years has become a leading authority for merchants to learn around data security threats and mechanisms to prevent those. As a merchant you can get PCI DSS certified by ensuring that you meet all criteria laid out by the Security Council. The cost for such certifications has been coming down but they may still be prohibitive for some merchants. In such cases there is self assessment available that any merchant can use to ensure that they can handle confidential data.

Treat PCI certification as a fixed asset purchase, it would serve you over a longer period and would get you a benefit – trust of your customers – that has a very definite ROI icon-inline-shopover a period of time.

Lesson 4: Compliance is not a golden ticket: Secure your systems: once, twice, three times.

In July, Network Solutions LLC, a web hosting firm announced a data breach of approximately 574,000 individuals’ credit card information. The company claimed that it discovered unauthorized code on servers that supported its e-commerce merchants' websites. It was determined that the transaction data of about 4,343 of its merchant websites was breached sometime between March 12, 2009 and June 8, 2009. In a statement release by Network Solutions, the firm claimed to have been violated despite is PCI compliance status.

What can we learn? Being compliant is the minimum bar required to switch your online systems. Remaining compliant means you work carefully with your team and processes that handle confidential data. Security standards and guidelines are great to learn from but they are not a solution in itself. Data security is fast becoming a people problem and not a technology problem. Having right people in your team to do regular audits and compliance checks becomes a very difficult and expensive lesson to learn after a data breach occurs.

Lesson 5: Be transparent with your customers at all times!

So what if a breach finally happens? What should you do? First thing is to inform everyone who got affected and immediately reach out to law agencies for help.
Anthem was heavily criticized for not notifying the victims of the theft (mostly healthcare providers) in a timely manner. Reports indicated that several states, of the 50 states affected, were not notified until up to two months after the breach, giving cyber criminals more than enough time to wreak a significant amount of damage with your personal information, under the radar.

Transparency is important if a data breach incident occurs. The quicker response you have to a data breach, the faster and easier the issues can be resolved and data can be recovered and/or protected. It is critical that your customers are educated and aware of the dangers of the marketplace. There are free resources that allow consumers to monitor, freeze and simply check their credit status with the three major reporting agencies Equifax, Experian and TransUnion to protect themselves from personal data breaches; putting the power in their own hands.

As a merchant or data custodian, it is your responsibility to educate all affected parties on the steps they can take to avoid the damage.

The future of Data Security: Where do we go from here?

Finally, the law seems to be catching up – With the recent pass of The Data Breach Notification Act (Bill S. 139), introduced in January by Senator Dianne Feinstein, D-Calif., data security has become a hot topic discussion with all types of businesses. The Data Breach Notification Act will require any federal agency or business entity to notify an individual of a security breach involving personal information without “unreasonable” delay, meaning “any time necessary to determine the scope of the security breach, prevent further disclosures, and restore the reasonable integrity of the data systems and provide notice to law enforcement when required.” The bill also requires that major media outlets notify residents of respective states that are affected by the breach.

A complimentary bill to the Data Breach Notification Act also passed concurrently, the Protecting the Privacy of Social Security Numbers Act (Bill S.141), introduced in July by Sen. Patrick Leahy, D-Vt. This bill sets notification requirements and tighter criminal penalties for identity theft and willful concealment of a breach and requires businesses to implement preventive security standards to guard against threats to their databases.

Data Security now has increasing legal ramifications as well. Just the way you would invest in your business to comply with local laws of the land; data security is another investment being made mandatory by law, which is good. The maturity of technology and related people challenges means that merchants of all sizes have to continuously worry about the people they put in charge for keeping the systems secure and handling confidential data.

Let 2010 be a year when you commit to train and educate your people to make your organization ready to handle confidential data. Rework your processes next year to have a continual audit of your systems to make sure that they remain ready. At the end of the day; your processes should NOT be like this one.

Pankaj Kumar is the CTO of Ignify. Ignify is a technology provider of ERP, CRM, and eCommerce software solutions to businesses and public sector organizations. Ignify eCommerce is the only PCI certified eCommerce solution in the market that integrates with the Microsoft Dynamics ERP and Sage ERP solutions.  Ignify has been included as the fastest growing business in North America for 3 years in a row by Deloitte, Inc Magazine and Entrepreneur Magazine.

  1. December 3rd, 2009 at 21:37 | #1

    Data Security must be the main task to open up any project. Ignify solutions includes sage software and sage ERP solutions. Ignify has been an emerging company to provide best ERP solutions.

  1. No trackbacks yet.