Changing the System

It’s always easier to grasp a problem—and sometimes find a solution—when it hits close to home.

My aunt, an elementary-school principal, always keeps her students’ well-being top of mind. That’s why when she creates the yearly school calendar, complete with photos, she sends every parent a permission slip allowing them to “opt out” if they prefer any shot of their child participating in a class or school event not be used. But things do fall through the cracks.

When the 2007-2008 school calendar came out, a couple of parents complained their children appeared in the calendar, even though they opted out. While she was sure it was a mistake, there was no way to research it—all paper-based permission slips were thrown out once the calendar was printed in spring 2007.

“It’s time to change the system,” she said. “When something doesn’t work, it has to be changed.”

If my aunt’s experience illustrates anything, it is that data-exposure incidents—whether involving photos or electronic information—occur daily. That’s when it hit me: It is time for retailers to take their own actions to change the system.

I’m calling this change the move to “Data Loss Prevention”—an overall, comprehensive data loss-prevention strategy. And it is long overdue.

Cyber-thieves continue to pirate consumers’ personal data and they are claiming their booty through retailers’ systems, including e-commerce sites, point-of-sale devices, gas pumps and ATMs. And inside jobs stem from crooks using fake credentials to gain network access.

Sure, retailers are making efforts. Most encrypt data and work to comply with PCI DSS (Payment Card Industry Data Security Standard), a standard established by the four major credit-card companies to protect cardholders against the misuse of their personal information.

While these are important steps, “They are not the answer,” Paul Proctor, research VP, Gartner, Stamford, Conn., said during the annual FMI and Marketechnics Convention held in Las Vegas in May. “And truth be told, PCI was never intended to be a security measure.”

That said, it is time to take ownership when creating security. And the industry must work together to make it happen.

First, we need to change how business solutions are developed, built and purchased. This puts any company creating technology in the hot seat.

Retailers and company shareholders must ensure that vendors talk the talk and walk the walk. The same goes for retailers that still create systems in-house.

Once those solutions are validated and installed, the next step is to ensure that the correct safeguards, encryption and controls will monitor data flow and employee access to information.

Finally, the only way to uphold any successful loss-prevention program is to educate employees. Make them aware of their role in protecting data, keeping it secure, and the consequences for laziness. Chances are if employees understand what is at risk, they will be more mindful about mitigating it.

No one ever said securing an enterprise would be easy. However, it is clearly time “to change the system.” The sooner retailers establish a plan, monitor controls and educate employees, Data Loss Prevention will become second nature.