Feb 4 2014, 1:02am CST | by Forbes
An estimated 70 million consumers were affected by a data breach impacting Target’s POS systems over the holidays. For Target, this signals the beginning of a gradual rebuilding of trust between itself and its billions of customers, with some customers still hesitant to pay using anything but cash at the retailer.
Other businesses are being impacted by this breach, as well. The media is warning customers to refuse to provide e-mail addresses and zip codes at the register, which can be a problem for businesses that collect this information for demographic purposes. As word of additional data breaches has spread during the course of January, the FBI has warned U.S. retailers that more incidents could arise in the coming months.
Knowing The Cost
For a business of any size, a data breach can be financially devastating. Unless a company has enough reserves to cover it, it could even cripple the business for years. At an estimated $188 per affected record, a large business frequently deals with costs in the millions. These costs include a drop in business for an extended period, as well as the cost to investigate and repair what caused the breach and notify potentially-impacted customers.
For entrepreneurs who have worked hard to build and grow a business, the risks of a data breach are even more alarming. While a company the size of Target can probably sustain a multimillion-dollar expense, smaller businesses don’t have millions of extra dollars to spare. Two-thirds of consumers say they’d stop doing business with a company if their information was stolen, especially if the business was in the banking, healthcare, or legal field. Perhaps even more alarming is Experian’s statement that 60 percent of SMBs that suffer a data breach go out of business within six months.
Before a Breach
Since the recent attacks occurred at the POS level, it’s important retailers take a look at their own systems to identify any vulnerabilities. While the details of the Target breach are still unfolding, security experts say a hacker in the Ukraine made his way into a web server, which routed the hacker to a file server, eventually leading to the compromisation of the company’s POS systems.
Traditionally, security advice has been fairly straightforward. Practice solid, strict security measures on all on-premise servers and ensure only authorized personnel can access cash registers and other in-store financial systems. But as more businesses outsource server and software services to cloud vendors, customer data is being moved to off-premise data centers that are no longer under the direct supervision of the businesses servicing those customers.
The Service Level Agreement
The crucial piece of the puzzle in working with a cloud provider is the Service Level Agreement (SLA). Signed at the point of purchase, this document offers the business some degree of protection in the event a breach occurs due to negligence on the cloud vendor’s fault. However, a business still retains the bulk of the responsibility. In other words, after a breach, it’s unlikely customers will accept, “It was our vendor’s fault” as the excuse. A business is expected to ensure its customers’ data is safe at all times, whether this is being overseen at its own headquarters or through a vendor it chooses.
Data protection is a crucial part of the SLA, so businesses should feel free to ask as many questions necessary to get the clarification they need. The vendor’s security measures should be clearly spelled out in the SLA and businesses should conduct regular reviews to ensure data is being secured as specified. But prior to selecting a vendor, SMBs should look at the company’s reputation and current client list. While this is no guarantee a breach won’t happen, reputable companies have a habit of attracting the best minds in I.T. today, which is good news for your customers.
While securing customer data at the server level is important, it’s also important to realize that a large number of breaches are due to employee behaviors. Negligence on the part of I.T. staff and vendors is certainly a large cause of security breaches, but those aren’t the only causes. As workers have become more mobile, sensitive customer data is often carted around on tablets, smartphones, and even flash drives that can easily become lost or stolen.
Businesses with workers who take devices with them should ensure those devices are properly secured. Each mobile device should be safeguarded with passcodes and any external hard drives should be encrypted and locked down with a password. Mobile devices can also be remotely wiped using software if necessary, but these measures need to be put in place proactively.
After a Breach
In the event a breach should happen, it’s important to be as honest as possible about it. A large number of SMBs don’t have an incident response plan in place prior to an attack, leaving them unprepared to deal with such an event. But perhaps most alarming of all is that only one-third of SMBs who experience data breaches report those breaches, according to a report by the Ponemon Institute, despite the fact that stiff penalties can be enforced if the unreported breach is ever discovered.
In the event a breach occurs, experts advise businesses to come forward despite the risks. Brushing an attack under the rug means that the attack generally isn’t addressed, leaving that business’s customers vulnerable to even more attacks. Additionally, if multiple customers trace their stolen credit cards back to one business, that business stands to lose even more if those customers go to an attorney or, worse, the media.
After a data breach, customers want to know if they will become subject to a case of credit-destroying identity theft. They also need reassurance that the problem has been discovered and protections have been put in place to keep customers safe. By directly communicating with customers about these two issues, businesses can slowly begin the process of regaining customer trust.
No business is above an attack like the one that hit Target recently. However, a few precautions can go a long way in ensuring customer data is safe, potentially saving an SMB millions in lost business, notifications, and other associated costs.
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.
blog comments powered by Disqus
News | Computing | Business | Labor | Law | Electronic commerce | Health | Social Issues | Shopping Tips | Security | Computer security | Data security | Computer network security | Credit card | Secure communication | Concurrent computing | Identity theft | Data center | Service-level agreement