KISS: Feeling the love for Cyber Security?
Updated: Apr 9, 2019
With changing regulatory requirements, increased cyber threats and the need to satisfy consumer expectations (providing assurance and efficient service), the burden on business has become extremely demanding.
Traditionally, businesses have sought to do everything themselves, or to partially outsource the specialist element. However, this still requires them to fortify their 'in scope' systems and people - ensuring that the processes remain robust. All this, whilst trying to ensure that the Business As Usual (BAU) requirements are maintained.
Consequently, this becomes increasingly demanding, time consuming and expensive. Making sure that each environment receiving sensitive data (e.g. Personal Information, Personally Identifiable Information (PII), Consumer Account Information, Payment Card Information, etc.) provides effective defences:
All of this requires skilled and knowledgeable personnel, with the available time, to ensure that they can respond to the opportunist attacker (internal or external) or the accidental actions that could put such data at risk. One mistake, or missed action, could present that opportunity to be pounced upon.
A business can often feel like the Iguana, in this video!
Surely, there must be an easier way to deliver a service that exceeds expectations and which also meets the legal and regulatory requirements?
Indeed there are some really good technical solutions, but it all comes down to understanding the business's data flows and identifying how the consumers' expectations may have changed. Today's consumer wants everything to be instant and can't afford the time waiting to answer a suite of security questions. The same security questions that will be personal to them or which may be financially linked. All such data is at the top of a cyber criminal's shopping list.
Keep It Simple Solution (KISS) Principle
The application of the KISS principle employs the concept of replacing such data with a safer alternative. Think of your sensitive data flows, as different coloured balls that need to be moved and stored within an organisations network and personnel, and even be shared with 3rd parties. The attackers are always prowling for interception opportunities, whether that be at the core of a corporation's network (Data at Rest), in flight (Data in Transit) or with 3rd Parties (Cross-Border transfers).
Consequently, the choice comes down to the decision of:
Treatment - Developing in-house encryption operations (still needing supporting systems and key management processes) to protect the sensitive Data at Rest.
Transference - Remove the need for sensitive data, through the use of a 3rd party tokenised service. However, the Call Agents and the telephone systems will still be in scope, as they will still interact before being sent across to the 3rd party for tokenisation.
Termination - Remove the need for the interaction with sensitive data by using a Dual Tone Multi-Frequency solution to convert the sensitive data, via the customer's telephone keypad. As a result, no corporate systems or personnel need to interact with this data. At the point of taking such data, the Call Agents ask the customer to confirm their details via their telephone keypad, e.g.
Credit Card No.
Date of Birth.
Bank Account No.
Security Question options (e.g. Mother's Maiden name - Option 1, 2 or 3)
All options are viable and it comes down to which one makes your life easier, whilst meeting the legal and regulatory requirements, enhancing the customer journey (e.g. not wasting time repeatedly speaking the same information, because of a bad line/strong accent, etc.) and reducing the risks associated with such business processes.