Customer data is becoming increasingly valuable, especially as organisations are looking to use customer experience as a brand differentiator. However, with the growing number of cybercriminals year-by-year, it can get difficult to constantly protect and monitor customer data. According to Symantec's Internet Security Threat Report, half a billion personal records were stolen or lost in 2015.
Sanjay Rohatgi, Vice President of Symantec APAC, explains why customer data is highly sought after and easily accessible to cybercriminals."Personal data can and will be used to commit crimes - whether to conduct identity fraud, or to enhance the social engineering in phishing scams, or even as part of the reconnaissance in the prelude to a targeted attack. The recognition of the potential value of this data in the wrong hands has resulted in social networking services enhancing and tightening their privacy controls, and more people regarding their personal data with greater respect."
He added: "Cybercriminals exploit what they perceive to be the weakest link in the chain-humans. Cybercriminals are now creating a stealthier spear-phishing campaigns that target fewer individuals with a small number of select organisations to remain below the radar. These targeted attacks are often aimed at unsuspecting individuals, such as secretaries or mid-level managers, who have access to valuable information. For instance, using information gathered from a secretary's social platforms and web usage patterns, cybercriminals then carefully craft and design their attacks to appear more convincing and believable."
In Singapore, organisations are required to protect consumer information while complying with the data protection law, which is known as the Personal Data Protection Act (PDPA).
Based on the PDPA:
- Organisations may collect, use or disclose personal data only with the individual's knowledge or agreement.
- Organisations may collect, use or disclose personal data in an appropriate manner for the circumstances; and only if they have informed the individual of purposes for the collection or use.
- Organisations may collect, use or disclose personal data only for purposes that would be appropriate.
What organisations need to do to protect customer information
However, Rohatgi said that it isn't enough for organisations to comply with PDPA. He advised organisations to regularly review their security protocols, including basic security hygiene such as ensuring that only the necessary employees are provided access to the required customer data.
Organisations should also deploy various security solutions such as intrusion prevention and detection software, as well as data loss prevention technology, said Rohatgi.
In the case of Google, it encourages users to opt in to the two-step verification to help prevent unauthorised access, said Jay Jenkins, Customer Engineering Lead, Google APAC. Users will be sent a one-time passcode to their registered mobile number, which must be keyed in together with their password in order to access their emails.
Sign up for CIO Asia eNewsletters.