The True Cost of PCI Breaches
It's fragile and should be earned, not freely given.
If your organization stores or processes customer credit card numbers, then you know something about this. PCI DSS has been around for a while and is meant to provide a certain level of trust between merchants and consumers - "I'll give you my credit card number, but I trust that you will use it properly and protect it". Is it perfect? Nope. Just look at the list of breaches for 2018 alone - credit card numbers flying out of networks like they're going out of style!
It's scary, frustrating, and costly. Companies spend billions of dollars to make consumers trust them. They invest in network security, they advertise, they try to reassure the public that it's ok to trust them.
And then, in a heartbeat, news of a breach, and Poof! - trust is destroyed. Dollars and effort wasted, everything needs to be rebuilt. Brand recognition, history, all meaningless.
Get to know your unstructured data
It's no secret that the amount of unstructured data in the enterprise today has grown exponentially, making up to 80% of an organization's data (we define "unstructured data" as information that resides in email systems and file repositories, either on premises or in the cloud). Yet, over the past couple of years, as I have questioned people about this aspect of their enterprise data, every single one of them has admitted to me that they do not feel they have adequate knowledge and control of what is stored in there! Hence why we also like to call it "dark data"! ("Come to the Dark Side, we have data.")
Regardless of the policies your organization may have elaborated around security practices, humans will be humans. How can you be certain that no one is storing unencrypted credit card numbers somewhere? In a spreadsheet in OneDrive? In an email? On a network share?
Solution paths to prevent PCI breaches
You could index all your unstructured data - no matter where it resides - to easily search for credit card numbers (or any other sensitive info)?
You could create a policy that would notify a compliance officer of any such instances on a regular basis?
You could instantly remediate - automatically or manually - any such instances of non-compliance?
Would it help to build some trust?
Join NetGovern at the annual PCI-SSC North America Community Meeting in Las Vegas, September 25-27. We will be showcasing our solutions with our partner eMazzanti Technologies - come by for a chat and to learn more!