As companies collect ever increasing amounts of data about
their customers, they now face a financial and a moral duty to ensure that the
collected data is secure. Data breaches can cost companies dearly in lost
reputation and sales as well as consequences from the government.
The case of Equifax, which finds itself facing numerous
lawsuits as well as government inquiries, is a clear example of what can
happen. While Equifax is an outsized example, IBM reported that the average cost of a data
breach is $3.62 million, with each individual record containing sensitive
information costing $141.
Unfortunately, there is no one neat
trick which companies who sell countertops can use to guarantee permanent
protection, and dealing with data breaches is just as much about minimizing the
results of a breach as preventing the breach from happening. But there are a
few steps which companies can take which will minimize the risks of a breach
and keep your customers safe.
Reassessing Data
Collection Strategy
If your business does not collect data, then there is no
data to steal. While your business cannot eschew data collection entirely, far
too many companies collect data for data’s sake or because “it may prove useful
someday.”
Collecting data for data’s sake has problems even beyond the
security risks. Data storage costs money and gets exponentially more expensive.
Pulling up a specific dataset becomes harder with a large database, and you
increase the risks of collecting insensitive data which can backfire on a
business. Just look at OfficeMax, which according to the Los Angeles
Timeslanded in hot
water when it sent a letter to a customer with the label “Daughter Killed in
Car Crash.”
Big Data in and of itself is useless without proper
analytics. Instead of trying to collect as much useless data as possible and
increasing the risks of a breach, only collect the data your business
immediately needs.
Data Education
Most data breaches are not a failure of technology, but of
people. Hackers are not elite tech geniuses, but scammers looking to dupe the
gullible. BuzzFeed recently reported on a cybersecurity
test in the Marine Corps where software experts successfully got well-trained
Marines to click on a phishing email with the absurd headline “SEAL team six
conducts an operation that kills Edward Snowden.” And in many data breaches, it
only takes one mistake.
Failures like these show that companies have to educate
their employees and consumers about good data safety practices. For employees,
establish a training program or a legal helpline which talks about different
ways hackers attempt to gain access to data, how to create safe passwords, and other
security tips. The goal is to create a culture of cybersecurity where employees
remain vigilant.
For consumers, regularly post on social media or on a
company blog about how customers can stay secure. Even if only a few consumers
read your advice, it still lowers the risk of a breach and shows in the worst
case scenario that your company was fully dedicated to protecting consumer
data.
Physical Security
still Matters
The NSA has a long ways to go in cybersecurity, as the
government agency has been the victim of multiple data breaches this year
including one last month. But one of the data breaches came about not through
being hacked, but because a contractor named Reality Winner printed out
classified files and walked out with them hidden in her pantyhose.
Reality Winner is an example of how companies cannot neglect
physical data security, which is all the more jarring because physical security
controls are often cheap. Keep your office locked (preferably with a smart
lock), establish a policy of shredding documents which are not immediately
needed, and consider preventing employees from using USB ports to prevent them
from copying information.
TechRepublic has an excellent guide on what
physical security measures should be in place to keep thieves and hackers from
breaking in. The most important step is to remember that data breaches do not
have to be done online.
Prepare for the Worst
As noted above, preparing for what to do in the case of a
breach is just as important as trying to prevent the breach itself. With the
right procedures, a company can reduce the harm done to its customers and
itself.
When a breach happens, your company should promptly contact
law enforcement and let customers know as soon as possible. Be honest and
upfront. You will not put customers’ minds entirely at ease, but you can
prevent wild rumors from spreading and assuming the worst.
Just as businesses develop disaster plans to
deal with earthquakes or tornados, develop a disaster plan for who is in
charge, who will contact important individuals, and who will minimize the
impact of the breach. If your business can show customers and the government
that you have been sincerely attempting to protect data, you will face a small
reputation hit and be less likely to face a lawsuit.