Infosec is critical in the contemporary world. Large data breaches happen periodically, and smaller ones undoubtedly occur constantly. Our lives are increasingly lived online, and to better serve the customers, companies want to gather as much data as possible. After all, consumers like their personalization. But customers also have to trust that companies will safeguard all this private data.
Hacking attempts are likely, and for large companies, they’re a certainty. So how can business owners protect their customers and their data while still providing an experience based on that data?
Gather only the essentials
This technique minimizes the impact of stolen data. If your main need is to verify the customer – such as when they’re logging in – it is better to only store enough information to verify them. That would be a username and password. Maybe an email address. There is little need to store their credit card details, IP addresses, full name, address, dates of birth, driver license numbers, and whatever other data you think might be interesting.
Take a look at your data collection policy, and cut out anything that isn’t necessary. That way, when a breach occurs, customers will feel less damage. And hopefully remain your customer.
Maintain transparency in policies
While you’re looking at your data collection policy, make sure it is easy to read and divulges all important information. Privacy and data collection policies are often not read by consumers because they are long, tedious, and written in legalese. If you have the resources, write a layperson’s version that succinctly describes the policy.
Then, when you experience a breach, customers will already understand what information was compromised. They can also make informed decisions on how much information to give you, preventing legal trouble later. Perhaps preventing a Congressional summons, too, if you happen to run a large, influential corporation.
Since data is likely to leak, it is important that the data appears as gibberish. One of the worst possible ways to store data is in plaintext. If all data is stored in plaintext, hackers need only download the data and open it. If the data is encrypted, they need to download the data and either find the keys or crack the encryption.
This means that even if hackers can breach all of your other security procedures, the data they retrieve is useless to them. Theoretically, they could brute force crack your encryption, but more likely they will simply move on to the next victim who does not have encrypted data.
Encryption is not difficult to implement, either, on the disk storage level (where you will be keeping customer data). As for network encryption, Cisco published this neatly laid out checklist.
Outsource to professionals
If you don’t know what encryption is, consider outsourcing your security to another company. There are plenty of security-focused IT companies that perform freelance work to set up secure systems. If you already have a security system in place, consider an audit by a third-party to ensure your in-house system is robust. IT is broad, so it is easy for an individual or even a team to make a couple of mistakes.
Outsourcing for payment systems is an excellent idea for small businesses. PayPal is an excellent example: the company handles all of the security on their end, and all you need to do is pay a small fee for each transaction. Not only is PayPal’s security likely more robust than yours, but it is also reputable – customers will be more willing to finish a transaction through an established channel than enter credit card details into your website. If you don’t like PayPal, find another payment processor to outsource one of the most critical points of security for any e-commerce business.
By doing this, you will build rapport with your customer base, as they will trust your intentions. They may be appreciative of the effort you’ve expended to help them. And most importantly, they will understand how to protect themselves, even if a breach still occurs, reducing the impact on them and your business.
IT is a broad area. IT security is also broad, and data leaks will continue to occur, even with robust security procedures in place. However, you are less likely to be a target if you practice good security because the effort required for attackers increases rapidly.
Nick Rojas is a self-taught, serial entrepreneur who’s enjoyed success working with and consulting for start-ups. Using his journalism training, Nick writes for publications such as Entrepreneur, TechCrunch, and Yahoo. He concentrates on teaching small and medium-sized enterprises how best to manage their social media marketing and define their branding objectives.