What every company hopes dearly to avoid is the customer facing security incidents especially those involving compromise of customer information. While the issues related to retail customer information usually get primetime coverage, there is also the significant issue of B2B interactions with our corporate customers and partners.
Companies involved with software and system delivery projects often require customer service, sales and support staff to be deeply engaged with the customers. Often a single employee maybe dealing with multiple customers.
It is quite possible in this situation for an employee to accidentally send email with information for customer A to customer B. We're human, mistakes will happen. In my experience the more we can move to secure systems and processes, the less we need to depend on the busy employee to not make an honest mistake.
Below are top 10 tips for security organizations to implement for their support and services delivery organizations:
Move customer information out of email or local storage
Customer information should be maintained in a separate access controlled system with regular security reviews of access and usage. Customer passwords, account information etc should not be sitting in personal email accounts which can be compromised or accidentally mis-directed.
Strongly discourage storage of company data on personal accounts on public cloud systems. This cloud storage also exposes the company to high risk when such systems are hacked or compromised as in the case of Evernote earlier this year
Clearly separate out internal versus external customer content very explicitly
If you have to keep customer data in email or other local systems, and then make sure you put in as much system controls as possible to prevent accidental disclosure. If you are working on a customer issue that has an internal company thread, create separate folders for all customer communication and another separate folder for the internal thread. These separate folders ensures that you do not accidentally forward an internal thread to the customer. Mark all internal threads as 'INTERNAL'
Keep an eye on the training material and process
Employees will often create ad hoc material for one off training and sometimes will include customer data in this training material. Be very clear that no customer information is to be moved into training material at any time. Do not copy customer data into non-protected locations, spreadsheets or documents for training or other purposes. This information can be accidentally distributed to unauthorized recipients
Watch the new hires
New hires especially project managers or customer representatives may not fully get the implications of a data disclosure. They may not have enough time to understand the details of the systems before their first customer interaction, Make sure they get adequate new hire training on information security processes and data disclosure implications.
Follow a double check process
Ask employees to follow a 'double-check' process with customer communication. Every employee should check and check again all outgoing communication to the customer prior to sending. Verify that there is no confidential information going through.
Follow a simple data classification process
Mark email or documents as confidential when needed. This adds an additional layer of review.
Guard the customer data closely, even from the customer
Do not communicate customer login and password information via email to anyone including the customer. Customer staff or contractors may not be authorized to have the information/access level. Provide information based on the account setting only.
Be careful about what you sign and agree to with the customer
Do not sign any NDAs or security agreements without the approval of the Legal team
Change Customer system with caution
Some of our teams have actual access to customer systems to troubleshoot. Do not change settings or data on a customer system without communication in writing and (preferably) a backup
Encrypt hard drives
All Support and services staff should have encrypted hard drives whether they be USB sticks or laptop hard drives. Encryption reduces the risk of disclosure when the drive is lost.
George Viegas, CISSP, CISA is Director of Information Security at a leading multinational information and media company based in Los Angeles.