In September, CVS/pharmacy finally confirmed that it had been hit by a data breach of the third-party vendor that operates its photo-printing site. This breach, along with similar breaches at Costco Wholesale and Walmart, resulted in the exposure of consumer credit card information. The news, while widely reported, didn’t make the headlines the way the Target and The Home Depot breaches did.
Over a relatively short span of time, the way consumers and the media react to these exposures of personal data has changed. Studies show that, despite the incidents of data breaches increasing, most customers make no changes to their behavior or attitudes toward companies, believing the breaches to be unavoidable. The result is a limited impetus for companies to improve their security protocols.
But companies that take this laissez-faire attitude on security aren’t just risking customer privacy — they’re failing to seize an opportunity. In a world where data breaches seem inevitable, the first company that can prove the opposite is one that will garner trust and consumer devotion.
The True Cost of Bad Security
Even without negative response from customers, the recovery cost for companies that suffer a breach is still steep. The Home Depot’s data breach of 2014 has been estimated to cost a staggering $10 billion. The Home Depot will survive, but only because its pockets are deep. For smaller businesses, a breach like that could mark a company’s final days.
But even setting aside the high price tag, keeping security as a low priority is just bad marketing. There’s a space in the market for truly security-conscious businesses, and someone is going to fill it.
Locating a Breach
Before you can prevent a breach, it’s important to understand the common weak points in the system.
There are three main areas where breaches usually occur:
- Point-of-sale systems: Hackers often put malware on POS devices and use them to steal credit card information with each swipe. Many of the high-profile breaches in 2013 were a result of this type of hack.
- During the transfer of data: While data may be encrypted both before it’s transferred and after it’s stored, the transfer itself is often through unencrypted channels, leaving data vulnerable. Keeping these easily readable channels is similar to wearing a meat suit while scuba diving — it’s not recommended.
- Where data is stored: This is usually the most difficult of the three to access, but it can also be the most dangerous because of the breadth of data that can be gathered.
Locking Down Your Data
While there’s no way to protect yourself 100 percent, there are steps you can take to ensure sensitive information remains as private as possible.
- Update regularly.POS systems should be continually up-to-date with the latest software and firmware. If you’re using a third-party POS device, take special note of the company maintaining the service and its security protocols. Remember that, ultimately, a data breach is your PR problem.
- Encrypt all data. This is an easy step, but one that’s often overlooked when data is transferred. You shouldn’t necessarily develop your own algorithm — instead, use trusted modern-day encryption to make your data unreadable, even if hackers do get a hold of it.
- Triple-check your storage security. You can’t be too secure when it comes to data storage. The system should be behind a physical firewall with appropriate intrusion detection and intrusion prevention systems. Personnel-wise, access to sensitive data should be kept to as few employees as possible.
Most of all, it’s important to be proactive in your practices and policy; never be satisfied with “good enough.” Deviants will constantly be looking for new ways to get your data, so you must, in turn, find new ways to keep them out. Having a good security plan on paper is a start, but putting it into practice regularly is what’s vital.
By following these three steps on a consistent basis, and being open about them with your customers and partners, you can create a safer business that the public will trust.