Data is lucrative
Customers are becoming more aware of how much data they share online. As your business gets more and more integrated in the cloud ecosystem you share more and more information with other parties. There is company and customer information residing in your application servers. There is information across all third party providers your business uses. Your accounting system is moving online. Your doctor appointments are moving online. Online banking adoption has jumped to over 90%. You interact with these services with the expectation that your data is private and secure. There were 1473 reported data breaches in the US affecting approximately 165 million records in 2019.
Data is lucrative. It can generate revenue through legal means such as advertising or be used for ransomware, identity theft and fraud. Websites get an average 60 attack attempts a day. Banks have reported on average over 80 serious attack attempts a year. You get the idea. You start working on your business digital strength, offer innovative online solutions to customers and now all information you have collected is on the network. Most attacks are automated, without any specific incentive to attack your business. You might be able to legally limit your liability when such data is abused by third parties or breached, but the publicity will cost you a lot of business and scrutiny. You need to be proactive in understanding what data you are collecting, why you are collecting it and how you are keeping it safe. This is not a job only for the developers working on your project. Data security should be an important discussion point on every digital transformation project you start. It should be part of the organizational culture and should have leadership support.
What and why
It is important to understand why you need the information you are asking from your users. Information you collect should be essential for the product or service you are offering to work. Hoarding on customer data that has no use to your service has no benefit and exposes you to more risk. Many times young developers working freelance or for small agencies will create generalized data collection forms for the customer registration or transactions. Make sure you go over these forms and understand what data is being captured and why is that needed to make your product work. Evaluate the importance of data you are collecting. Are you connecting the customer accounting system? What information do you get from there? Why are you getting this information? Do you operate in a health related business? Does your customer use online methods to communicate with you? Are you collecting Protected Health Information (PHI)? Is your solution HIPAA compliant? You need to understand what data you are collecting and how sensitive that information is. Unless you have a strong reason to have that data stored, don't. Many industries are regulated in terms of how customer data is stored and processed. Understanding that is crucial to avoid expensive consequences and lead your digital transformation project ethically.
Who and when
Who can access the data in your system? Can a disgruntled employee wreck havoc and expose data? What privileges are required to access customer information? Have procedures in place to handle who and when can customer data be accessed. It is important not to ignore the importance of proper access control policies in your organization. Many times the risks to data integrity and information security are internal. When dealing with encrypted data, make sure you understand the process at a high level. Access logs should be in place. Access should require authentication and failed authentications should be logged.
How
How are you keeping data safe? This is important for different types of data. Is sensitive data encrypted? Do all your web services or websites have an SSL certificate? SSL makes sure that data is encrypted from your servers to the end user (in transit). Is data encrypted when stored (at rest)? Who has access to the encryption keys? How often are encryption keys rotated? Is there 2-factor authentication in place for both customer access and employee level access? As part of your digital transformation project you should schedule a meeting to discuss different aspects of security and make sure the leadership team has an understanding of the process and implications at each step. Depending on the scale of your project you might want a third party independent security review before the project goes live and have the reviews scheduled continuously to make sure everything is running within the project specifications. Building secure solutions is only the first step to data security. Systems, applications and access privileges should be audited regularly. Third party integrations and data exchanged with with them should be clearly defined.
Transparency
Unfortunately no system is immune. It is important to have procedures in place when things do not go as planned. All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information. It is not just the right and ethical thing to do. Transparency is a legal requirement. You need to have processes in place to make sure that customers are notified of any data breach within the limits dictated by law.
Looks complicated
It does. Security is complicated. It is important not think of it as a fancy feature, or nice to have. According to 2019 Cost of Data Breach Study by IBM Security/Ponemon Institute, a data breach costs businesses an average of $3.92 million, averaging at $150 per record breached. Costs go substantially down when the breaches are detected and handled earlier. The financial implications are serious. You and your digital transformation consultant and the development team should work together to mitigate data security risks. As you explore patterns to help you in your company journey, make sure you pay close attention to data security competence.