What every company hopes dearly to avoid is the customer facing security incidents especially those involving compromise of customer information. While the issues related to retail customer information usually get primetime coverage, there is also the significant issue of B2B interactions with our corporate customers and partners.
Companies involved with software and system delivery projects often require customer service, sales and support staff to be deeply engaged with the customers. Often a single employee maybe dealing with multiple customers.
It is quite possible in this situation for an employee to accidentally send email with information for customer A to customer B. We're human, mistakes will happen. In my experience the more we can move to secure systems and processes, the less we need to depend on the busy employee to not make an honest mistake.
Below are top 10 tips for security organizations to implement for their support and services delivery organizations:
Move customer information out of email or local storage
Customer information should be maintained in a separate access controlled system with regular security reviews of access and usage. Customer passwords, account information etc should not be sitting in personal email accounts which can be compromised or accidentally mis-directed.
Strongly discourage storage of company data on personal accounts on public cloud systems. This cloud storage also exposes the company to high risk when such systems are hacked or compromised as in the case of Evernote earlier this year
Clearly separate out internal versus external customer content very explicitly
If you have to keep customer data in email or other local systems, and then make sure you put in as much system controls as possible to prevent accidental disclosure. If you are working on a customer issue that has an internal company thread, create separate folders for all customer communication and another separate folder for the internal thread. These separate folders ensures that you do not accidentally forward an internal thread to the customer. Mark all internal threads as 'INTERNAL'
Keep an eye on the training material and process
Employees will often create ad hoc material for one off training and sometimes will include customer data in this training material. Be very clear that no customer information is to be moved into training material at any time. Do not copy customer data into non-protected locations, spreadsheets or documents for training or other purposes. This information can be accidentally distributed to unauthorized recipients
Watch the new hires
New hires especially project managers or customer representatives may not fully get the implications of a data disclosure. They may not have enough time to understand the details of the systems before their first customer interaction, Make sure they get adequate new hire training on information security processes and data disclosure implications.
Sign up for CIO Asia eNewsletters.