In an Era of Hacking, How Companies Can Keep Personal Information Safe
Hacking is increasingly disruptive to businesses worldwide, collectively costing companies billions of dollars and eroding consumer trust. Lack of adequate data protection and relaxed privacy policies can result in damage to reputations, steep fines, and damaging lawsuits — problems no company wants to face.
In a recent report, Juniper Research forecast that global cybersecurity spending will rise to $135 billion by 2022, much higher than the estimated $93 billion in 2017. But despite increased security expenditures over the next five years, hacking will cost businesses a total of $8 trillion in fines, security fixes, and lost business. Businesses in industries that are subject to federal law regarding personally identifiable information (PII), such as financial services and healthcare companies, are particularly vulnerable to financial penalties in the event of a security breach.
Credit Card Security
As an example, nothing makes customers abandon a business faster than having their credit card data compromised. This is in part because businesses are usually required to let customers know: forty-seven states have laws requiring consumer notification after credit card breaches.
Credit card issuers require companies that accept credit and debit card payments to comply with Payment Card Industry (PCI) rules. To deter hackers and prevent security breaches, businesses should use payment-processing software that is current and certified to conform to PA-DSS (Payment Application Data Security Standard). Additionally, businesses as well as payment processors should obtain a PCI-DSS (Payment Card Industry Data Security Standard) certification. This certification provides a level of assurance to customers and clients that companies are following best practices for securing information when credit card data is transferred.
Additionally, experts recommend that companies refrain from storing customers’ credit cards numbers. Instead, they can find a payment provider with a platform that can store customers’ card information in a secure cloud “vault.” The use of encrypted IDs in financial transactions ensures that your company won’t come into contact with stored credit card information — absolving your company of responsibility in the event of a breach.
Organizations benefit from taking proactive steps to combat data breaches. A key part of this approach is integrating cybersecurity concerns and protections into everyday business decisions.
Security Best Practices
- Conduct a company-wide cybersecurity audit to determine the vulnerability of your data. Remember to include any mobile devices used by employees to access company information.
- Establish strict security policies and ensure that all employees are aware of them. Update employees when protocols change.
- Employ effective endpoint, network, and email protection that filters out spam, malware, and dangerous file types. Install multiple layers of security technology on all devices, including desktops, mobile devices, file servers, mail servers, and other network end points.
- Employ end-to-end encryption (E2EE) that scrambles the data sent from one device to another. This is a system of communication wherein only communicating users can read messages.
- Restrict access to customer information only to those employees who need it. Sensitive information should be stored in a centralized location and protected.
- Implement a strict bring-your-own-device (BYOD) policy. While allowing employees to use their personal laptops, tablets, and smartphones for work can provide flexibility for your workforce, it increases the risk of customers’ information being stolen. Another worry is the proliferation of connected smart devices under the IoT banner: many internet-connected devices are built without basic security measures, and businesses and consumers could be at risk as flaws are discovered and exploited. Employees should never use the same passwords for their personal and business accounts and devices.
- If you move to the cloud, make sure that the ability to encrypt data — both in the cloud and when being transferred — is available.
- Appoint a Chief Privacy Officer (CPO). Enterprise companies are notorious for operating in silos, which means that there is no overall coordinated approach to protecting customers’ privacy. Unlike a Chief Information Security Officer, a CPO focuses exclusively on protecting customers’ PII — many CPOs are attorneys. A CPO can create and revise policies regarding privacy and security for confidential information and lead staff training on these issues. A CPO could also be responsible for auditing compliance with policies and keeping up-to-date with privacy legislation.
Being vigilant and stay current up with the latest security patches can help organizations keep personal information safe.