It's Not Just For Card Data Any More

With all of the recent fuss about PCI requirements and how to protect payment cards, many companies have opted to take a far too narrow view of data protection. The PCI rules are absolutely designed to only apply to payment cards, but the same common-sense security guidelines will also dramatically help the security of CRM databases, personnel files, E-mail servers, payroll details, and even the full contents of your Web site.

Overworked IT executives suffering from staff cuts find checklist security quite comforting. The checklist mentality says that nothing should be done that isn’t mandated. And there are no external rules protecting data, beyond payment card, health-related information and some investment data. Is this wise?

This month, a frightening answer to that question came in the form of an E-mail exchange that a reader enjoyed. The reader—a security consultant—got a panicked call seeking a forensic expert. A large amount of important data had been stolen and they hadn’t been doing backups of that content. Even worse, they couldn’t even try and piece together what the intruders had stolen because of a logging problem. To quote the victim: “We can’t recover it, because it’s wasn’t backed up, and it wasn’t logging because it wasn’t on the part of the SAN where logging occurs.” Uh-oh.

Our reader said that he figured the data couldn’t have been close to mission-critical, given the cavalier way it was protected. But the victim had an interesting rationale: “Well, it wasn’t part of PCI so we didn’t think to add it into the normal data we monitor” with several different high-end security packages. The kicker: Why was the victim so desperate to retrieve this non-PCI-controlled data? “It’s the flight maintenance records for our entire fleet of aircraft.”

While this executive’s company’s safety details were off somewhere in the wild blue yonder atop CyberThiefVille, his counterparts were calmly deciding that security procedures should be minimalized.

If a thief wants to engage in identity theft, there are plenty of nuggets of data far more valuable than payment card information. Worried about an inside job? Wouldn’t the payroll database be a more tempting target?

Retailers today are amassing more data about Americans than anyone other than U.S. government. If retailers ever get their mouse pads around all of the data they’re already collecting, the image is staggering. For loyalty card using consumers, the chains know what they’ve bought and when. Courtesy of E-Commerce tracking, they know what they thought about buying, but chose not do. If stores truly deploy item-level RFID tracking, that knowledge will be known in-store, too. How would you like your next potential employer to be able to read a transcript of every question you’ve ever asked a customer service or tech support person?

That’s all data that’s being collected today. Some retailers are considering some even more Orwellian possibilities for next year

This all comes down to the fact that businesses of all sorts—and especially retailers—are collecting a lot of data today that no outside force is requiring them to protect in any formalized way. That means that companies must decide—on their own—to spend money and dedicate personnel to protect systems that they don’t technically have to. These execs will either do the right thing or face data Armageddon. Excuse me while I go out and buy a generator and a 30-year-old supply of survival supplies.

Evan Schuman is a guest blogger on the McAfee Security Insights blog. Evan is the founder and Editor-in-Chief of StorefrontBacktalk.com, a global site that tracks retail IT and E-Commerce issues for readers. He also writes the weekly Retail Realities column for CBSNews.com. More on Evan can be read on his author page.

Tags: Compliance, data breach, Data Protection, malware, PCI, Risk and Compliance