No matter your business, protecting customer information is key. But are you putting your customers at risk without even realizing it? This article discusses two essential strategies for keeping your customer's most guarded secrets safe.

The importance of protecting customer information

‎Customers provide our businesses with all sorts of information. That information is valuable - and thieves stand ready to take advantage of our carelessness.

The most sensitive of customer data is personally identifiable information (PII). PII is any information someone could use to uniquely identify a customer - such as social security numbers, driver's license, credit card numbers, physical addresses, phone numbers, bank accounts, and biometric identifiers.

Most businesses must handle some form of PII. Unfortunately, a malicious actor with PII can use it to impersonate, intimidate, or otherwise defraud innocent victims. Thieves constantly look for ways to collect and profit from this information.

A highly regulated environment

Data exposure puts your customers at risk. But it also puts your business at risk. By leaking PII and other customer information, you may violate multiple regulations depending on your industry.

The European Union's General Data Protection Regulation (GDPR) is a good example. Under GDPR, users have a "right to be forgotten." That's hard to implement if a user's information is spread across e-mails, chats, and cloud storage files.

Then there are local regulations. In the United States, the California Consumer Privacy Act (CCPA) grants consumers rights similar to the EU's GDPR, including the right to know and the right to be forgotten.

Besides official government regulations, there are also de facto standards to which every business must adhere. The PCI-DSS standard created by the credit card industry is one such standard. Every business that handles credit card data must implement it. Failure to comply could result in fines or even loss of credit card processing services.

The challenges in protecting consumer information

There are two challenges when it comes to protecting customer information. Both of them relate to the centralization of data.

Data over unauthorized channels

‎First, customers - and even employees of your company - may leak customer information without realizing it. For example, a customer may include credit card information in a support ticket to obtain paid support. Or they may send their personal contact details via e-mail.

This exposes customer information to people in the company who may not have clearance to access it. Just because information stays "within the company" doesn't mean it's safe. Data breaches from insider threats cost US companies around $11 million annually.

It also provides another exposure point for attackers. Tools such as Slack can - and have been - compromised by attackers.

Data spread over multiple data stores

Second, duplication of data complicates keeping your customers secure.

Say that a software engineering team in your company creates a new signup form for support. This form may capture information such as names, addresses, and even credit card numbers and store them in a database.

But your organization may already store this information from other signup forms. That means this sensitive information is now duplicated across multiple data stores in your organization. And each team may handle and secure it differently.

Two indispensable techniques for protecting customer information

As I noted, customers and employees can share customer data through numerous systems:

• Email
• Chat applications such as Slack
• Cloud storage, such as OneDrive, Google Drive, or Amazon S3
• Customer ticketing systems such as ZenDesk or FreshDesk

Software engineering teams may also inadvertently leak customer information by writing it into application logs.

To stop these information leaks, your company can use two highly effective strategies: Data Loss Prevention and Tokenization.

Data Loss Prevention

Strac's Data Loss Prevention (DLP) detects customer information across line-of-business applications such as Google Workspace, Office 365, Slack, ZenDesk, etc. It then redacts the information and stores it in a secure vault for centralized administration.

You can implement data loss prevention in one of two ways:

• Regularly schedule scans that examine documents & messages in information stores; or
• Application-specific "hooks" that trigger an action - e.g., sending an email message - and stop the information leak in real-time.

Strac implements hooks for all SaaS applications. Our tools detect and redact customer information before unauthorized personnel (or intruders) see it.

‎Tokenization

Tokenization identifies sensitive information in a regular format - such as credit card numbers, government ID numbers, etc. - and replaces it with a unique identifier with no intrinsic meaning or value. It's a form of de-identification that provides users with another layer of protection.

One of the best ways to secure sensitive data is to integrate tokenization into your customer-facing applications. Strac offers a series of UI Web components that work across the Web, iOS, and Android.

Using Strac UI components, you can tokenize data automatically and store it in Strac's servers. The data never touches your own servers. You can enhance your customer's security while accelerating your path to compliance certification for standards such as HIPAA and SOC2.

Protecting customer information with Strac

Data Loss Prevention and Tokenization are powerful tools you can deploy to protect your customer's privacy - and your business. Strac makes both easy to implement with minimal engineering lift. Contact us today for a demo to learn more about how we can make your data more secure.