As companies collect ever increasing amounts of data about their customers, they now face a financial and a moral duty to ensure that the collected data is secure. Data breaches can cost companies dearly in lost reputation and sales as well as consequences from the government.
The case of Equifax, which finds itself facing numerous lawsuits as well as government inquiries, is a clear example of what can happen. While Equifax is an outsized example, IBM reported that the average cost of a data breach is $3.62 million, with each individual record containing sensitive information costing $141.
Unfortunately, there is no one neat trick which companies who sell countertops can use to guarantee permanent protection, and dealing with data breaches is just as much about minimizing the results of a breach as preventing the breach from happening. But there are a few steps which companies can take which will minimize the risks of a breach and keep your customers safe.
Reassessing Data Collection Strategy
If your business does not collect data, then there is no data to steal. While your business cannot eschew data collection entirely, far too many companies collect data for data’s sake or because “it may prove useful someday.”
Collecting data for data’s sake has problems even beyond the security risks. Data storage costs money and gets exponentially more expensive. Pulling up a specific dataset becomes harder with a large database, and you increase the risks of collecting insensitive data which can backfire on a business. Just look at OfficeMax, which according to the Los Angeles Timeslanded in hot water when it sent a letter to a customer with the label “Daughter Killed in Car Crash.”
Big Data in and of itself is useless without proper analytics. Instead of trying to collect as much useless data as possible and increasing the risks of a breach, only collect the data your business immediately needs.
Most data breaches are not a failure of technology, but of people. Hackers are not elite tech geniuses, but scammers looking to dupe the gullible. BuzzFeed recently reported on a cybersecurity test in the Marine Corps where software experts successfully got well-trained Marines to click on a phishing email with the absurd headline “SEAL team six conducts an operation that kills Edward Snowden.” And in many data breaches, it only takes one mistake.
Failures like these show that companies have to educate their employees and consumers about good data safety practices. For employees, establish a training program or a legal helpline which talks about different ways hackers attempt to gain access to data, how to create safe passwords, and other security tips. The goal is to create a culture of cybersecurity where employees remain vigilant.
For consumers, regularly post on social media or on a company blog about how customers can stay secure. Even if only a few consumers read your advice, it still lowers the risk of a breach and shows in the worst case scenario that your company was fully dedicated to protecting consumer data.
Physical Security still Matters
The NSA has a long ways to go in cybersecurity, as the government agency has been the victim of multiple data breaches this year including one last month. But one of the data breaches came about not through being hacked, but because a contractor named Reality Winner printed out classified files and walked out with them hidden in her pantyhose.
Reality Winner is an example of how companies cannot neglect physical data security, which is all the more jarring because physical security controls are often cheap. Keep your office locked (preferably with a smart lock), establish a policy of shredding documents which are not immediately needed, and consider preventing employees from using USB ports to prevent them from copying information.
TechRepublic has an excellent guide on what physical security measures should be in place to keep thieves and hackers from breaking in. The most important step is to remember that data breaches do not have to be done online.
Prepare for the Worst
As noted above, preparing for what to do in the case of a breach is just as important as trying to prevent the breach itself. With the right procedures, a company can reduce the harm done to its customers and itself.
When a breach happens, your company should promptly contact law enforcement and let customers know as soon as possible. Be honest and upfront. You will not put customers’ minds entirely at ease, but you can prevent wild rumors from spreading and assuming the worst. Just as businesses develop disaster plans to deal with earthquakes or tornados, develop a disaster plan for who is in charge, who will contact important individuals, and who will minimize the impact of the breach. If your business can show customers and the government that you have been sincerely attempting to protect data, you will face a small reputation hit and be less likely to face a lawsuit.