Data breaches are headline news. Target is still trying to recover from the December 2013 hacking that compromised the credit and debit cards of 40 million of its customers and the personal information of 70 million more. Luxury department store Neiman Marcus, hotel company White Lodging Company, on-line auction company eBay, and arts and crafts retailer Michaels have all reported data breaches, too.
Data breaches are costly. Your company will have to pay the expense of notifying those customers that were affected, You and your employees will have to spend time away from the job of running your alarm company to deal with the breach, and your company will suffer reputational damage and the potential loss of customers and sales.
It’s not just consumer retailers that need to worry about data breaches – all companies are vulnerable to data breaches – whether from malicious sources like hackers or simple employee errors.
Here are just a few steps you can take to reduce your risk.
Make sure you are PCI compliant.
Credit and debit card information is the ultimate payoff for most hackers. If you take credit or debit card payments, you must comply with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of requirements established in 2006 by the Payment Card Industry Security Standards Council to protect consumers’ financial information and reduce fraud. PCI DSS includes standards for the networks that handle the financial information, for the protection of consumer information, and for the restriction of access to information, among other requirements. While PCI DSS is not a law, major credit and debit card companies like Visa, MasterCard and American Express do require all organizations that accept or store cardholder information to comply with PCI DSS. For more information on PCI DSS, click here
Have a technology acceptable-use policy for employees.
In today’s business environment, mobile devices (laptops, tablets, and smartphones) may be critical to all facets of your business, but they are also vulnerable to both sophisticated hackers and petty thieves. Your acceptable-use policies should include a number of safeguards that your employees should follow when using mobile devices for work, including connecting to the Internet only using secure (not public) networks, protecting devices with the maximum security settings, and being aware of the data sharing from downloaded apps. The FTC has some great advice on business use of mobile devices for business
Understand your weak points.
No matter how big or small your company is, your failure to maintain proper cyber-security measures not only makes you vulnerable, it makes you a weak point for your customers as well. The same is true for any third-party contractor or service provider you use: independent contractors that have credentials to your systems, outsourced front- or back-office systems, payroll services, and cloud and IT service providers, may all be weak points.
Adopt a “culture of security.”
Having cyber-security protections on your systems is not enough. Hackers reportedly were able to gain access to Target’s most critical networks in part because employees failed to do anything with warnings generated by the company’s cyber-security software. Not only should you train your employees about your data security policies, but create a culture of sensitivity to the presence of threats – from using unsecured networks and opening suspect e-mails, to leaving programs with sensitive information open on screens, paper work lying around, and laptops and other devices unattended.
Remember, a chain is only as strong as its weakest link. Take the above steps to ensure you are doing your part to keep data breaches at a minimum.