Protecting Customer Data from Website Hackers: Your How-To Guide
The costs of digital espionage are projected to reach $2 trillion by 2019. Despite the staggering risk, many businesses simply aren’t prepared when it comes to protecting sensitive information. Whether you’re a small business or an enterprise, here are our top tips for protecting your customers’ valuable data from website hackers.
1. Meet credit card compliance standards
Protecting the credit card information of your customers is crucial for protecting your brand reputation. Online transaction security has come a long way since the early days of the internet, but you’ll need to ensure your business is doing everything it can to protect customer transaction data.
According to a 2015 study by American telco Verizon, up to 88% of businesses fail to comply with the Payment Card Industry Data Security Standard and its associated protocols. Even more concerning, that same study found that the number had risen from 67% in 2009. Meeting compliance standards is critical for protecting your business from cyber security threats.
2. Patch and update your website and digital assets
There’s no excuse for not keeping all your digital assets up to date. Your software vendors work hard to ensure timely delivery of updates and software patching (many will even patch automatically), but ultimately it’s your responsibility to ensure these updates are applied effectively.
A good way to think about security patches is like a net that protects your web presence. Unpatched assets like your web CMS, APIs, plugins, ERP or eCommerce platform leave holes in your net. Keep everything up to date and you’ll go a long way to ensuring better digital protection for your customers.
3. Update to SSL authentication for payment data security and authenticity
If you’re not already using Secure Sockets Layer for authentication and data protection then you’ll need to look into that right away. According to Rick Andrews at Symantec, SSL certificates help “to authenticate the identity of your business and encrypt the data in transit. This protects your company and your customers from getting their financial or important information stolen.”
You can go the extra mile with Extended Validation Secure Sockets Layer (EV SSL), the URL green bar and SSL security seal. Andrews points out that web based attacks continue to increase, and that is can be “a leap of faith for customers to trust that your ecommerce site is safe”. Ensuring you meet the SSL standards can greatly reduce the length of the leap you’re asking your customers to take.
4. Employ complex password protection
While this should be standard for any IT account based activity, it’s amazing how many companies still don’t enforce a complex password policy for their user accounts. “Longer, more complex logins will make it harder for criminals to breach your site from the front-end,” says Sarah Grayson at McAfee. “While it is the responsibility of the retailer to keep customer information safe on the back-end, you can help customers help themselves by requiring a minimum number of characters and the use of symbols or numbers.”
5. Don’t store sensitive data if you don’t need to
“If you have nothing to steal, you won’t be robbed.” says Chris Pogue at Trustwave. Pogue recommends not storing the credit card numbers, expiration dates and CVV2 codes of your customers, pointing out that it’s against the PCI Standards recommendations.
While customer info like an email address, delivery address and name are important for marketing and logistics, there’s simply no reason for you to require the CC details to be kept on record at all times. Richard Stiennon at IT-Harvest recommends allowing a third party processor like PayPal, Stripe and Authorize.Net to handle all the CC processing. “These providers have the security and tech muscles to take care of customer data, so it’s best to leave the handling of credit card information to them.”
6. Encrypt everything
Regardless of the size of your business, from a 6 person SMB to enterprise level global corporations, it’s imperative to encrypt your data and ensure the ongoing protection of your customer information.
You can start with password encryption for user accounts and other sensitive information, but you should also consider the encryption of physical hard disks that store and transport sensitive data. This could be at a server level, on your cloud infrastructure, or even on a laptop that carries account structured or unstructured data that is business critical in nature.
7. Be transparent and educate your users
Data protection works best when everyone along the value chain is contributing to the safe and secure transmission of information. You can motivate your customers to be more active in safeguarding their data through transparent education. Let them know what information you collect and how you collect it. You can also provide information about spotting suspicious behaviour, and make it easy for them to inform you if something goes wrong.
8. Be thorough with access controls
Best practice IT processes dictate a strong adherence to the protocols that define who has access to what in your organisation. Removing organisational access from staff that are no longer employed is important, but so is auditing and vetting current access controls and how they relate to the current work profiles of staff.
Organisations that ignore this aspect of IT security run the risk of incurring massive security debt, where user profiles are so complexly defined that it becomes a headache to untangle. If your organisation doesn’t regularly audit the permission levels of staff against their actual job descriptions than you’ll want to get on this sooner rather than later.
Don’t risk it
Names, employee ID numbers, addresses and credit card information – customers entrust you with sensitive data that can be easily stolen by hackers looking to create fake identities. It’s your responsibility to take the necessary precautions to ensure the protection of your customers’ personal information, and your business reputation – don’t leave security and privacy to chance.