Five Simple Steps to Better Protect Customer Data
Okay, so let’s begin with a little bit of a quiz. Just try answering it in your head because we are not getting too interactive here.
Have you had a data breach and have your customer data records been stolen recently?
- Yes. B. No. C. Attempted but no breach.
If you went with B, then you are just plain lucky. If you chose A, then you didn’t do what you needed to do. And if your choice was C, you are probably pretty safe for customers.
There’s nothing surprising if someone has attempted breaching into your customer data vault. It has become pretty ordinary considering more than 9 billion customer data records have been stolen since the turn of 2013 (at the time of writing this). That’s like almost 5.5 million records stolen everyday. The value of this absurdly high rate of loss is a lot of cash. Different experts have different estimates but we can all agree that it’s pretty expensive to lose customer data.
So, if you’ve been hacked and your customer data stolen, it’s not because you’re unlucky. It’s just that you have not secured them well enough.
So, without getting into a lot of peripheral talk, let’s just straight dive into what causes data breaches, what hackers are looking to derive from data and what steps you can take to prevent data breaches. Alright, let’s go.
What’s a Data Breach?
Well, there are different kinds of breaches. Some of them are really dirty while some won’t even scratch you a bit. Being a business organization, you would have a lot of data pertaining to your organization, your collaborations, your customers and so on and so forth. All of this is valuable data stored on your servers. And black hats exploit vulnerabilities to target your data and steal it. If they succeed, it’s like a kidnapping.
The most serious incidents of all are when the black hats siphon your customer data simply because it involves thousands of customers and puts them and their freedom at risk. That is something you just can’t afford. Such breaches can result in identity theft and even economic losses for your customers upping the stake far too high. Just recently, hackers used malware to steal customer payment data from restaurant chain Chipotle.
But how do black hats do it? They simply work hard. You’ve got to give it them, they really work hard at their stuff going from system to system trying to that find that small hole to sneak in. It’s just that it’s not ethical or legal. Kaspersky has put together a nice essay on how black hats actually gain access to data. You should read it.
What do black hat hackers have to gain?
In 2016, internet major Yahoo! reported two instances of data breaches that occurred in 2013 and 2014 and affected more than 1 billion accounts. The data breaches cost Yahoo! nearly $350 million as Verizon reduced the cost of the deal owing to the serious incidents. That’s how much it costs companies if they lose data. But, what about these black hat kids? What do they get? Well, customers data is valuable information. More so, if it contains financial data. They can use the data to extract ransom from the organization it belongs or can even release it on the dark web in exchange for cash. It’s a pretty lucrative business which is why we have so many people using their grey matter to find a way into company servers. Like this hacker group Tsar Team which published a few photographs stolen from the database of a Lithuanian cosmetic surgery clinic and then started demanding payments in bitcoin for them to return the data.
How do you protect yourselves?
Ambitious black hat hackers will go after the big guns like Yahoo! to maximize their returns. But the smart ones will go after the medium level enterprises. There are a lot of smart hackers out there so no organization is completely safe. Safety, however, can be vastly improved if you can take a few simple steps in order to increase the immunity of your systems.
- Implement Social Login: Traditional email based user registration and login can be cumbersome for users. But that’s not it. Email based registration leaves you vulnerable to cyber attacks and breaches because you are storing the authentication information with you. With social login, consumers don’t have dedicated authentication credentials for each website but just use their existing Facebook, Twitter or any other social identities to login. As a business, if your consumers use social login to signin to your website, you authenticate them but you never actually know their credentials. That part is still with the social networks. If the authentication data doesn’t rest with you, black hats can’t steal it from you.
- Use the cloud and encrypt your customer data: You must be baulking at this suggestion. But practically speaking, cloud is still the best bet for smaller enterprises. Azure or AWS could do a good job. But it doesn’t end there. Whether it’s your private server or the cloud, ensure that you encrypt your customer data (and also passwords using secure hashing algorithms). Encryption will make sure that even if the bad guys get access to your customer data, they can’t decipher anything and it’s just of no use to anybody except you. The new General Data Protection Regulation (GDPR), Europe’s swanky new data protection law, will come into effect from May next year and it mentions something called pseudonymization. Pseudonymization data means it results in the data becoming unidentifiable so even if someone steals your customer data, individual customers can’t be precisely identified from it.
- Two Factor Authentication: Yep, it’s the latest recipe to thwart attacks from black hats. Two Factor Authentication adds an extra layer of security so customers login using a temporary passcode sent on their phones or email. So, even if some smart guy runs away with your customer credentials, they can’t really do anything with it because they simply can’t steal everyone’s phones. Authentication will not be complete until the temporary passcode is presented.
- Limit Access to Data: The worst attacks originate from within. No, that doesn’t mean it would be a mole within your organization but some kind of mistake that could open a vulnerability for black hats to exploit. You can’t even blame anyone. The best step to avoid such situations is to create a concrete authorization policy about who can access what kind of customer data. Very limited people should have access to customer data.
- Educate Employees and beware of BYOD: Employee education is critical to protecting data. If your employees are lax about customer data protection, the possibility that you will lose data will just go up. Keep them abreast of the costs and implications of customer data breaches. And yes, don’t encourage Bring Your Own Device. We are strong proponents of Bring Your Own Identity for customers but for employees, it is better to just work with company hardware. BYOD is great but its extensive usage has meant a lot of employees in organizations have corporate data stored on their personal phones or laptops. If one of these is accidentally lost, just think about what could happen.
So, this is not an exhaustive list. There is no exhaustive list. You just have to do the best you can. Also, a lot of businesses, like the Lithuanian clinic, don’t take security very seriously. We are all past the stage when security was only for the banks and financial institutions. Sure, it’s vital for them but security requirements for the average company are not far behind. The sooner companies realize this, the better for them. You don’t want to learn the hard way, do you?