Antony Savvas looks at some of the best IT compliance tools and methods that are suitable for all types of business
Any organisation that takes debit or credit card payments from customers is responsible for safeguarding the sensitive data. “The reason being is that firms that process card payments are considered ‘in scope’ to comply with the PCI DSS [Payment Card Industry Data Security Standard], regardless of the size of the organisation or the volume of transactions processed,” says Geoff Forsyth, chief information security officer at PCI Pal, a secure payments systems specialist.
There is a lot of risk in an organisation’s contact centre, as call recordings, for instance, might be legally required to meet financial rules, but may contain payment card data which creates a security vulnerability.
A PCI-compliant solution is therefore essential. Customers should instead provide card data via their telephone keypad, which produces audio tones – Dual Tone Multi Frequency (DTMF). These are collected and suppressed prior to entering the contact centre, meaning no one in the organisation will hear or see the payment information, which is captured anonymously.
While the call is still recorded for compliance purposes, the card data itself is not recorded, meaning there’s no payment data to steal, even if a malicious perpetrator manages to break into the network. Instead, the information is passed to the payment provider for processing and no sensitive data is stored in the organisation’s IT environment.
A guide to IT governance, risk and compliance — Information Age presents your complete business guide to IT governance, risk and compliance.
In order to stay compliant, the key is to have effective communication across business lines and to keep appropriate documentation of your security and financial controls. It is best to find the most stringent standards applicable to your industry and begin to take steps to comply with those standards. That way, if new standards come into play, whether through expansion or acquisition, for instance, you are geared to comply with new requirements.
It is equally as important to have some sort of methodology for auditing and verifying that you have all the necessary controls in place.
“The only way to manage any sort of compliance program at scale is to leverage a governance, risk and compliance (GRC) tool, and I suggest IT compliance teams look for a tool that works well for their business, and not just buy features for the sake of having them,” says Lecio De Paula, VP for data protection at security awareness training firm KnowBe4. “Complexity is the enemy of scale, so it is important to look for simple tools that meet your exact business needs.”
The General Data Protection Regulation (GDPR) drove strict data compliance regulations for businesses to follow, with various tools now available to help firms comply.
Richard Mabey, co-founder of business contract automation firm Juro, picked two key ones.
“Egnyte provides GDPR compliance by locating and securing the personally identifiable information of EU residents stored on-premise or in the cloud.
“And TrustArc enables organisations to plan and implement GDPR compliance,” says Mabey. “Key GDPR capabilities include monitoring, regulator-ready reporting, communicating compliance and demonstrating records of processing.”
Know your customer
“Know your customer [KYC] is the cornerstone of compliance, as it enables organisations to improve their ability to monitor transactions and investigate fraud or credit risk, and must be a key focus from the get-go,” says Delphine Masquelier, KYC solution manager at Quantexa, a data analytics company which provides solutions to the finance industry.
“The problem is that in many organisations too much of this is done in silos, leading to an abundance of incomprehensible data.”
To enable a more intelligent way of staying compliant and driving effective and efficient KYC processes, while staying in tight control of finances, businesses must use contextual methods of collecting and making sense of data.
Contextual decision intelligence (CDI) technology tackles how real risk often hides within indirect connections, and transactional behaviour with other entities and organisations in the network.
Process, technology and people
“With emerging unknown cyber threats posing a significant risk to operational resilience, companies should focus on three key areas in order to reduce risk, deliver an uninterrupted service to customers and stay compliant with regulations,” says Pete Bowers, COO at managed security services provider NormCyber.
“Firstly, a combination of process certifications and best practices can prevent around 80 per cent of cyber attacks,” Bowers says.
Widely-used security certifications include ISO27001 and the UK National Cyber Security Centre’s two comprehensive certifications, Cyber Essentials and Cyber Essentials Plus, which focus on five key controls: firewalls, secure configuration, user access, malware protection and patch management.
“Secondly, investment in technology is key to minimising risk and increasing resilience, but simply investing in tools that feed security operation centres [SOCs] will not be enough without the capacity and skills required to manage these technologies,” says Bowers. If you can’t afford to operate a SOC, an alternative is to use an external one managed by experts.
Lastly, all technologies and processes are only as effective as the people who use them, says Bowers. In a 2021 UK government survey, it was revealed that of the businesses that had experienced a data breach, 83 per cent said it was due to a phishing attack.
With cyber criminals clearly preying on human error, it’s important that organisations regularly carry out cyber security awareness training and simulated phishing attempts among staff and track the effectiveness of their security controls.
Various zero trust network access (ZTNA) systems proactively make sure users only get access to the applications and parts of the network they actually need to do their jobs. So if malware does leak into the network, its damage can be restricted and better controlled.
ZTNA technology is primed to locate, manage and quarantine threats like ransomware, curtailing widespread damage to firms’ networks, servers and databases.
A zero trust approach assumes that every IT user, gadget and data packet on the network is a potential threat, and essentially interrogates them all before allowing them to pass through the network with the right credentials.
Through automation, orchestration and machine learning, ZTNA technology easily allows companies to provide user access tied to “micro-segmentation” – parts of the network, apps and databases portioned off to specific users. Such segmentation enables organisations to restrict lateral access through their networks, reduce the attack surface shown to attackers, and effectively quarantine threats like ransomware.
By doing this, firms can protect data in other parts of the network, and they will have more time to mitigate the malware that has already breached their systems.
By being able to demonstrate the efforts they have made to prevent or reduce the effect of data breaches through using ZTNA, organisations can help avoid large data breach fines.
How the regulation of big tech can affect your business — The UK’s pending Online Safety Bill and the EU’s Digital Services Act are designed for the regulation of big tech, but there is the issue of legal but harmful and unintended consequences that can affect your business.
Three steps to an effective data management and compliance strategy — Mark Jow, VP, technical services EMEA at Commvault, discusses how to establish a strategy that’s effective for data management and compliance.
Post-Brexit: how has data protection compliance changed? —
Freelance business and technology journalist Graham Jarvis explores how data protection compliance has changed post-Brexit.