Building and maintaining customer trust is a fundamental aspect of running a successful business. In the past, doing so was a straightforward operation for honest business leaders.
However, in today’s world, the internet has opened even the most well-intentioned companies to attacks specifically designed to expose that customer information. Businesses that utilize the power of the internet have an increasingly complex responsibility to build an effective security strategy.
In the old days, building a security plan may have been as simple as locking a safe. Today, security plans must weave technology and processes together to overcome the web of complicated external regulations, software and hardware choices, and internal policy design. To add even more complexity, requirements, regulations, and the threats used by cybercriminals evolve regularly.
The first step in protecting customer data is to develop a comprehensive and written information security program based on the firm’s unique risks. This process may be managed by information security leaders but is important to the entire business and should be done in conjunction with senior leadership. In many cases, it can be helpful to bring in experienced consultants to help identify weaknesses and build out a complete strategy.
Once the strategy is in place, it is important to understand that it is not going to be 100% effective. With the speed at which the bad guys move and evolve, no security team can hope to prevent every intrusion. Therefore, you must also build a program to monitor, detect, and investigate threats. In many recent attacks where customer data has been exposed, regulators have fined the victimized company for having insufficient detection programs. A company may choose to buy alert software and build its own security team, but that may be too expensive for small businesses who are likely to buy outsourced services such as a Managed Detection and Response (MDR) program.
The next key action is to establish a system to continuously test the efficacy of the security program. This may entail hiring an outside firm to attack the system on a regular basis via penetration testing, running vulnerability scans on the network, and/or hiring consultants to evaluate the network. Many companies invest significantly in security systems and teams, but do not consider their own employees. It is crucial to provide security training to all employees in the organization because a security strategy can only be as strong as the training employees receive. For example, employees have been known to unwittingly install malware on corporate networks by using infected thumb drives they found somewhere else.
The next step is to document in detail how teams will respond to identified threats and document the response. With an incident action response plan in place, a company can respond quickly when a bad actor penetrates its network. No security system can be effective without such a plan.
Finally, companies need to ensure that third-party vendors have acceptable security programs and develop a process to review those programs at regular intervals. Many recent hacks have occurred because third parties have had subpar security standards. Target fell victim through an HVAC vendor while Sonic exposed customer credit card information because of inadequate security protocols at one of their card processors. Regulators are beginning to hold companies responsible for the mistakes of their partners and customers certainly will by shopping elsewhere.