Fraud and Data Protection is a Process Not a Software Program-Parts 5-7
There are a number of articles and blogs that attempt to explain what to do to protect a system from data breaches. There are also a number of companies currently offering software packages for a company to use in order to protect a system against data breaches as well as software that attempt to identify fraudulent transactions. Many companies believe that the software programs and other automated steps they take to protect the data in their system can also protect this data from fraudulent use. This is far from the actual fact.
Because companies and institutions vary greatly in not only how they attempt to protect the data of their company and the data their customers trust them with, software never really addresses individual customer protection needs. Protection software is built to protect the company storing the data that was entrusted to them What is needed are programs that work together and are able to provide data protect as well as notify the affected company and individual of any real and potential fraudulent attempts the lost data may be used for.
Like organizations have similar needs but they also have individual needs and requirements that are rarely, if ever, built into the average software protection packages. Companies selling protection software will try to adapt the software program to address a company’s’ individual needs but many times it can be too expensive or is just not feasible to change the software program in the manner that would best protect the individual company and their customers’ needs. This is what the thieves and hackers know and count on. Once a software program is understood by these unscrupulous people let the theft begin and the profits for the thieves increase. Until there is a proper mix of data protection software to the fraud protection software that addresses the intrusion to a company’s system, data losses and fraudulent attempts, will continue to result in losses for companies and institutions in the billions of dollars. A report entitled the True Cost of Fraud Study by LexisNexis in 2009 stated that merchants were paying 100 Billion in fraud losses and related charges to these fraudulent transactions.
If data is lost through a compromise directly from the company or from third party vendors doing business with the company, it is crucial this information be immediately available and used in protecting the consumer, company, and worldwide merchants from losses. Utilization of a multi-level and multi-dimensional system that also utilizes an automated secondary system for anomalies in recognizing separate transactions has increased advantages in stopping fraudulent transactions especially after a breach has occurred.
A flaw that I have unfortunately seen a number of times when I have reviewed the security of systems, are systems that are not “locked down”. Locking down a system to an individual as well as locking that individuals access to sensitive data to a single work station will not only protect the company but will protect every employee. Companies have asked “what about shared computers” as many companies or institutions currently employ to save money. Locking down a system in a prescribed manner requires a person’s access to sensitive data be controlled by not only recognizing the parties’ passwords but also a stations distinctive address. This does not mean that a party could not use another work station but by locking a system to the individual’s level of sensitive data permission to a single station, it would also restrict the level of information that could be viewed at a different work station.
A review of personal items that should be allowed to be accessed during work hours should also be a priority to companies. Cell phones are capable of taking and transmitting pictures around the world in just a few seconds. What might look like someone making a call could really be someone transmitting pictures of sensitive data. Ipods are storage devices and if proper detection software for items being plug into a system is not in place large quantities of data can be lost. This is also true with USB devices that are small and hard to detect.
Access to customers’ sensitive data should never be allowed outside of the company. This includes allowing laptops or other storage devices to be taken out of the office if this information is stored on the device. A number of reports have indicated the loss of these devices and the information contained on them. If access is needed outside of the companies or institutions location then an external lockdown procedure similar to the internal procedure should be required. These external sites should also be monitored by internal personnel and special login procedures as well as a secondary validation procedure put in place each time the external system is utilized.
Not taking steps beyond using current software and personnel to try and protect a company’s data from being stolen and the potential that information could be used for fraud has resulted in hundreds of millions of people to be affected. A data intrusion can be devastation to a company’s bottom line so investing in someone to suggest a few extra steps of protection can in fact save a company time and money.
Examining how to protect your business data and your customers’ information requires looking beyond normal operating procedures companies employ. Protecting sales with a variety of procedures is paramount to protecting not only your company reputation and sales but the customers’ data. The problem, I see, with last minute measures being taken by the companies and organizations is that the efforts are trying to give two-dimensional protection in a three-dimensional world.
The best explanation I can come up with to explain my version of two-dimensional protection is, many companies are still using systems developed over the last few decades, to protect parties known to the company or that have a relationship with the company. Our new three-dimensional world now allows buyers to be completely anonymous but the buyer may use any identity that they wish to and you as the company need to just take their word for it or risk upsetting a potentially good customer. It use to be buyer beware, today’s world is turning into company beware
Companies should consider the following. Companies should store personal and sensitive data on a system separate from the system(s) that are accessible or used by parties outside the organization or normal internet use by company personal in their daily duties. This secondary system should have lockdown procedures to only allow transfer of sensitive or personal data to the system, not from the system except to authorized personnel within the company. The lockdown should also restrict the authorized personnel to access this information on separate system(s) that is not directly or indirectly connected to any outside system. Protection programs utilized by these systems need to recognize protecting the individual purchasing patterns and not a general review of information that is deemed “looks like it is safe”.
Consumers and companies also need to take steps to protect themselves and should request automatic notification updates from the various financial institutions and credit card companies they may use. Request when accounts are logged on as well as when purchases or other transactions are above specific amounts or outside of the normal purchasing patterns. For some parties this may involve receiving a number of notifications per day and my recommendation is not to just glance at them or ignore them. If the financial institution and credit card company is unable to supply this information to you to protect you then consider either changing to another company or minimizing use of them.
Fraud and data protection is a process that companies believe they are properly investing in until a loss occurs. Because of the many high profile losses more attention has been given to making systems safer. Unfortunately data losses are still happening daily and some losses are happening to the same companies multiple times.
The goal needs to be making the process and software program protect at a more granular level that does not affect the party making the purchase but still has an extremely high level of fraud and data protection. As previously stated in this series, Utilization of a multi-level and multi-dimensional system that also utilizes an automated secondary system for anomalies in recognizing separate transactions has increased advantages in stopping fraudulent transactions especially after a breach has occurred.