Right before Christmas, someone hacked into Target’s system and stole encrypted customer security debit card PINS on top of 40 million credit card numbers of the retail giant’s customers. Oh, and by the way, this was before ZDNet reported on other enormous breaches of security that were suffered in 2013 by the world’s biggest names in media, government and technology from the New York Times and Wall Street Journal to The U.S. Federal Reserve, Facebook, Adobe, Apple and Twitter. In all cases, private and confidential data was taken. Although there are suspicions, no one really knows who is taking the data or what it’s being used for. And after the furor dies down, no one can say for sure that the same won’t happen again.
These are not dipsy-doodle, little, tiny companies. These are some of the largest, most well known companies and government organizations in the world who supposedly specialize in technology. And they couldn’t even protect themselves from getting hacked. So yes, we can take solace that we’re not alone. But we must also admit: this is serious. And that our smaller businesses are not just as vulnerable. We’re more vulnerable. Why?
For starters, most of us are accepting and storing more credit card and social security numbers now more than ever. We’re accepting online and mobile payments. We’re sending out and receiving fewer checks and transacting more virtually. And when we accept this information our customers are entrusting us to keep it on file so that they don’t have to give it to us more than once. So we’re responding to that request by storing it…both in on-premise and hosted databases that require nothing more than a simple password to access. Our security is terrible. And the hosted ecommerce services that we rely on (judging by the examples above) clearly aren’t much better.
And who will be to blame if our customers’ info is stolen? We will. Our customers will stop doing business with us. Some may sue us. Others may tell others or report their problems to the media. Our credibility would be challenged. Our reputations may be lost. We are unable to be trusted. We are embarrassed. And we are potentially facing enormous liabilities. Would you like to be the subject of the next ZDNet slide show featuring businesses that were hacked? I didn’t think so.
So how do you protect against this? There are ways. For example:
- You should always make sure your customer data is stored in an encrypted database.
- You should have multi-levels of passwords to access any database storing customer information and change these passwords frequently.
- You should periodically and regularly run background checks on employees handling customer data.
- You should make sure to have malware detection software running on both your servers (hosted or not) and workstations and ensure that your firewalls are up and secure.
- You should review and implement the standard network security health check controls like the ones suggested here.
- You should make sure your Disaster Plan (you have one, right?) has a plan for if a breach occurs.
- And you should have your attorney update your terms and conditions to hold you harmless in the event of a stolen data incident (although that still can’t stop anyone from suing you, you losing that suit or at the very least suffering the same lack of credibility and reputation issues).
It’s a brand new year. And with it will come even more hacks of private information. We’ll hear about the big ones from the big companies. However, the thousands of small companies who will be hacked this year will not make the national headlines. And unfortunately they will suffer the most. Let’s hope that you and I are not one of them.