We read it in the headlines all too often: “Facebook, PayPal Users Urged to Check Logins After Hacking,” “Sony Hacked Again; 25 Million Entertainment Users’ Data at Risk,” “Zappos Says Hacker May Have Accessed Info on 24 Million Customers,” and most recently, “MasterCard, Visa Warn of Credit Card Data Theft.”
Clearly, fraud that leads to identity theft remains a very real threat. Once hackers infiltrate businesses’ networks, they can access customers’ personal information and use it to assume false identities, open credit cards or apply for loans in customers’ names.
While we read about the large-scale attacks on big business, businesses of all sizes face a certain risk. In fact, small- and medium-sized businesses (SMBs) remain especially vulnerable as organized crime shifts its focus to smaller merchants that may have less stringent security measures in place.
This threat to businesses and their confidential customer data demands proactive information security and fraud protection plans, as well as incident response protocols. While all businesses need to address security, for SMBs the stakes are especially high: security breach laws and regulations continue to tighten and notification requirements are becoming more stringent. SMBs without the infrastructure to adequately comply with these laws could, in the event of an attack, incur expenses that climb to hundreds of millions of dollars, threatening the viability of their operations.
Though it may sound overwhelming – another area to address amidst the chaos of running the business – there are ways to protect against and effectively address fraud and identity theft. It just takes some planning and forethought, or perhaps an attitude shift around security. SMBs need to adopt an approach that makes security and risk management an integral part of operations, a built-in component of every project and expansion, rather than an additional item at the bottom of the “to-do” list.
The Letter of the Law … and its Consequences
While Congress continues to work toward federal consumer protection legislation, at present, data breach disclosure laws in 46 states govern all organizations doing business within their jurisdictions. These regulations require merchants to notify victimized customers in the event of an attack on the businesses’ networks and provide customers with guidance on next steps and recovery measures. If businesses fail to undertake these actions in a timely manner, they can face steep fines, enforcement actions from state and federal regulators, and lawsuits from their customers.
The penalties merchants can incur easily become onerous and complex. A company with hundreds of thousands of victimized customers across 10 states would, first of all, have to meet the disclosure criteria of all 10 states’ regulations. Then there are the costs of remediation, which average $214 per affected customer record. These numbers quickly climb to millions of dollars, without factoring in any additional regulatory actions states may bring.
A Two-Pronged Approach to Business and Customer Protection
To protect their customers and ensure they can comply with the data disclosure laws, businesses need to develop comprehensive security plans. These policies should contain two lines of defense: precautionary measures and protocols for breach response.
For front line protection that reduces the chance of becoming data breach targets or victims, businesses should take these steps:
- Assess current security practices and potential gaps. Common areas of vulnerability include firewall adequacy, anti-virus and anti-malware protection and warning systems to indicate threats of attacks.
- Develop plans for privacy and securitythat address backup and recovery, compliance and due diligence practices. Most importantly, businesses need systems to identify the location of their customers’ confidential information – databases, contact lists, financial records – and focus on protecting these key areas.
- Train employees so they know how to execute the security plans. Incorporate continuing education to keep employees up to speed on security practices.
In addition to prophylactic measures, SMBs need action plans ready in case breaches occur. Companies prepared to manage breach situations can respond efficiently and effectively, minimizing financial and reputational damage as well as harm to customers. Thorough preparation demands the following:
- Breach incident planningthat includes designing a breach process flow, developing a forensics checklist, assigning internal breach incident team roles and drafting an external notification guide.
- Access to post-incident supportto ensure businesses have the resources they need to carry out the recovery and customer notification processes. These supports could range from customized victim notification letter production to call center support to handle victim concerns to an outside forensic expert to help investigate root causes of the breach and isolate vulnerabilities.
While developing security plans like these takes time and energy, it’s an up-front investment that SMBs must make to help protect their customers and their businesses. In addition to losses from the breach itself, SMBs that suffer an attack can lose up to 25 percent of their business because of decreased consumer confidence in their brand. These are clearly losses no company can sustain. With the right approach to security and fraud protection in place, they shouldn’t have to.