According to a survey by GreenSQL more than 65% of businesses do not protect their customers’ private data from unauthorised employees and consultants.
The results are interesting because every day we hear of another data breach or another form of malware which can steal data or at least damage data and you would think that with this amount of coverage business would sit up and start protecting their livelihood because that is what customer information is, their livelihood.
For an idea of the scale of the UK’s problem have a look at my post “Who has breached the Data Protection Act in 2012? Find the complete list here“.
Maybe it is bad news fatigue? Maybe the constant flow of horror stories makes them think that they cannot do anything about it so why bother.
I can understand the sentiment because on a personal level I do not wear a Kevlar jacket and carry pepper spray when I walk my dogs on a cold dark winter evening on the distant chance I might be mugged.
However, business cannot escape their contractual commitment to protect credit card data under the Payment Card Industry’s Data Security Standards (PCI DSS) and they cannot escape the legislative requirements to protect Personally identifiable Information (PII) for example the Data Protection Act and the pending European Wide Data Protection Act.
The survey results fall into three categories
- Ignore. 65% take no preventative measures
- Think about it. 23% use masking techniques only in non-production environments, such as dummy data and scrambling
- Try. 12% deploy dynamic data masking solutions on their production environments
I suspect that those who indicated that they deploy technologies to mask data are talking about credit card data where all payment applications are governed by the Payment Card Industry’s PA DSS but it should be applied to all sensitive data that could cause financial or reputational damage to anyone; customer, employee or contractor.
“Most companies would say protecting customer data is critical to maintaining their business and reputation,” said GreenSQL CEO, Amir Sadeh. “However, something is wrong when we discover that many IT departments are making no masking efforts whatsoever, and others are taking tepid approaches.”
GreenSQL surveyed “hundreds of IT managers and developers at large organizations” about the measures they took to prevent developers, QA, DBAs, consultants, outsourced employees, suppliers and application users from having access to sensitive data.
In summary adding protection to data bases and sensitive data is not hard and with current market trends moving towards cloud based solutions the costs are no longer prohibitive compared to becoming one of those horror stories people keep ignoring.