SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Five things ANZ businesses should know about storing customers’ data
Thu, 15th Apr 2021
FYI, this story is more than a year old

All Australian and New Zealand retailers, merchants and businesses that accept card payments need to comply with the industry standard Payment Card Industry Data Security Standard (PCI DSS).

It stipulates what types of security protections organisations should employ and mandates stringent financial penalties for exposure of customer records.

Other sectors, including healthcare, financial services industry and government agencies, also need to comply. There are other regional and national regulations, such as the General Data Protection Regulation (GDPR) in Europe, but no set of rules or legal requirements apply to everyone.

Many of these national and industry standards vary widely, yet they hold several core tenets in common. For example, they mandate the use of specific security mechanisms or procedures. They impose stringent penalties on the exposure of protected data and sometimes even criminal liability. They apply widely, not just to customers in specific territories or regions, but worldwide.

Organisations must make sure they fully understand which regulations apply to them. They should strive to do whatever they can to avoid breaches before finding out the hard way the penalties for violations.

A common question is: should customer information be destroyed after a certain point? This is a tricky question, and there is no single definitive answer. In theory, yes, customer data should be destroyed. But one of the benefits of the digital age is the fact that we can store data indefinitely.

Many organisations exercise this practice, and many customers want to have this data available to them. With that said, the best approach should not necessarily focus on the destruction of older data but rather focus on the overall protection of all data, both old and new, to make sure this data is not exposed.

A careful provider of cloud security services doesn't hold customer data directly. Yet, it will maintain metadata about customer transactions that flow through its systems in the form of logs, security events, etc. Most products and services allow customers to configure the retention time of logs and alerts. Keep in mind that retention policies have to do with customer lists, websites, etc. Retention periods can vary significantly, based on the type of information and how it is used.

The General Data Protection Regulation (GDPR) has had a significant impact on organisations. It affects organisations based in Europe (EU) and any organisation that processes and stores EU citizens' data, which is almost every organisation.

Looking ahead, we are constantly assessing how local regulations impact us. For example, there are many new privacy regulations in India and Brazil, which have to do with data residency and taking customer data out of those countries.

Here are five things businesses should know about storing customers' data:

The cloud is not ‘more' or ‘less' secure — it's different

This means that organisations need defences specifically adapted to the cloud and the unique threats those organisations face.

Safeguard application surfaces and cloud application infrastructure 

Vulnerabilities can come from either side, so it is essential to safeguard both.

Implement ‘positive' security

Attacks keep becoming more sophisticated, and organisations can no longer rely only on signatures of existing attacks. They need protection based on a positive security model that can automatically identify and block illegitimate traffic.

Security is a discipline

Within it, there are many sub-disciplines (such as application security, DDoS, etc.). Organisations need to rely specifically on the people who are experts in safeguarding against these attacks.

Detection is essential, but the correlation is critical 

It's not enough to detect attacks. Businesses need to correlate events intelligently across multiple threat surfaces, application layers, and time spans to connect event A, to event B, to event C — even if they are months apart. This will help to determine when an organisation is under attack and be able to block it in time.