You are here
The recent quagmire that the WikiLeaks drama has caused highlights the importance of rethinking the strategy behind the security of people and information assets within an organization. As a result, there's nothing more important than a retail organization's confidential information, as well as the protection of its customer information assets.
No longer does the idea of a "hard outer shell" constitute an adequate approach to cybersecurity. The term "cybersecurity" aptly defines the spectrum and magnitude of security, data privacy and protection. For retailers, this means striving to establish and/or improve the operations of the IT security organization, as well as the remediation of breaches and compliance failures or gaps -- including those related to the newest technologies.
Cloud-based applications, appliances and tools represent a unique challenge to an organization's security, providing a compelling reason for leadership teams to consider the broader implications of implementing and using new technology.
In today's retail technology environment, companies must focus on the fundamentals of sound security and control in order to be successful. There is a need to provide special emphasis on protecting your customer and company information. With the epidemic of credit card fraud and abuse, companies are subject to regulatory action if they don't actively protect important and sensitive information.
Even more importantly, if customer information is breached, organizations are required to notify affected customers. These "data breach notification" laws currently exist in 46 states and have their own unique requirements and present a heavy burden on custodians of data. There are proposals at the federal level for a unified breach notification law that will strengthen requirements for notification. There is an ever-growing list of recognizable targets in this space, including T.J. Maxx, Sony, Heartland Payments, Epsilon and a number of others.
Below are five strategies that will help you develop a proactive approach to protect your customer and company's data assets from the inside out. While these are not all encompassing, a strong security plan will help you stay protected and prevent the possibility of being "WikiLeaked."
1. Implement a security strategy that fits your business needs. Your security strategy should address both internal and external factors, including any information about your customers and employees.
2. Ensure you have sound policies, procedures and practices with respect to data security. These should be detailed and well understood not only by corporate management, but also the people who work in the business every day. In a retail environment, that includes everyone at the store level and the corporate environment.
3. Classify your information by sensitivity and secure it appropriately; specify data-retention guidelines for each category. It is important to ensure the information you capture, store and use on an ongoing basis is known, understood and secured.
4. Perform a comprehensive analysis of the storage locations and flow of your sensitive information. Evaluate the corresponding protection mechanisms. A rule of thumb should be: If you don't need to retain the information and aren't required to keep it, get rid of it. For information you must keep, have a retention policy in place and follow it closely.
5. Commit to monitoring and managing the security of the data in your organization -- it's important to your customers, shareholders and employees.
Danny Miller is a principal and national solutions lead for Cybersecurity & Privacy at Grant Thornton LLP. He can be reached at Danny.Miller@us.gt.com or (215) 376-6010. You can also visit the company's Cybersecurity website at www.grantthornton.com/cybersecurity to learn more about what you can do to stay protected.
Editor's Note: The opinions expressed in this column are the author's, and do not necessarily reflect the views of Convenience Store News.