Thieves are hacking corporate databases to steal financial data. Customers want to know what you are doing to protect them.
You’ve read the news. It seems like every month there’s another big company admitting that its customers’ financial data has been stolen by criminal hackers. The problem is not going away anytime soon; so, if you want to continue to transact business online, you obviously need to have a plan in place to protect your IT systems. Yet, it seems that the crooks stay one step ahead, and the good guys are always playing catch up. What’s a hard-working business owner to do? Expect the unexpected and prepare for the worst.
Here’s our recommendations:
First, be aware that the bad guy could already be inside your vault. For example, the Coca-Cola Company lost financial data on more than 70,000 customers not from hackers over the Internet, but through the theft of company computing equipment containing that sensitive information by an employee. And, it didn’t happen in one theft. The employee had been stealing laptops over several years.
Recommendation: Develop a comprehensive data protection strategy that defends not only the external firewall protecting your data systems, but also guards against unauthorized physical access to those systems inside your company.
Second, those initiatives should be regularly evaluated and monitored. Thieves are some of the most innovative people in the world – what a shame they don’t use their talents to do good. In many of the thefts to which companies have admitted, the criminals had been operating within their IT systems for months, even years. Often, the intrusion is not even discovered by the victim – one of the company’s business partners recognizes the thievery first. How embarrassing is that?
What has it taught us? The best data security works in layers. Less sensitive data can be less secure, and highly sensitive data should have the strongest protection.
Recommendation: Harden the data systems protecting your most sensitive data from other areas of the network, and monitor those systems constantly for any signs of intrusion. Consistent security audits and network monitoring should identify suspicious activity long before your business partners notice your problems.
Third, if a theft does occur, effectively communicate that as soon as possible to your customers and partners. For example, when Target lost credit data for more than 100 million customers, those victims did not hear the news first from Target; a security company announced the tragedy. Even when Target did finally admit the problem, the customer email notification was sent out from a new domain name, presumably as a precaution. Unfortunately, to their customers that looked like a phishing attack, and most people deleted it. You know the rest – it became a publicity nightmare for the company.
Recommendation: Don’t let your customers learn they’ve been victimized from a third party, and don’t let them see you mess up something as simple as an email when they are trusting you to secure their financial data.
Fourth, be aware of the potential for criminals to pose as your business partners. The Target theft, it appears, was perpetrated by criminals using credentials issued to the company’s HVAC contractor. While they used that privileged access to install devices on the stores’ cash registers, your vendors-in-disguise could just as easily be IT subcontractors with privileged access to all of your IT systems.
Recommendation: Institute strict controls over vendor access. Protocols should be in place to monitor usage patterns of all business partners with access to your systems, and a procedure in place to quickly limit or curtail that access at any indication of suspicious activity.
And finally, fifth, help your customers respond appropriately. All data breaches are not the same, and depending on the type of data stolen, your customers will need to take different steps to protect themselves. For example, the Target breach lost credit and debit card data, whereas the Coca-Cola thieves were able to steal Social Security numbers.
Yet, Target responded by offering customers free credit monitoring for the next year, which would only identify instances in which thieves tried to open new accounts. But, it’s not likely that a criminal could open a new account with only credit card data. Instead, Target should have advised their customers to monitor their existing accounts closely, or to close those accounts and re-open them with new numbers.
On the other hand, Coca-Cola’s customers, having lost their Social Security numbers, could very well be victimized by a criminal opening up new credit accounts in their names. The company should have advised their customers to monitor their credit rating, as Target did.
Recommendation: Your customers may not know how to proceed upon learning of the theft of their data. Help them by matching your response to the crime.
At Nahai Insurance, we know that bad things happen to good people. Let us help you prepare for the worst-case scenario before it becomes a worst-case reality with insurance products that protect your company from the potential financial loss and legal liability resulting from cybercrime.