Companies collect and keep customers’ personal information on file for legitimate uses, but if a company becomes complacent about security, their own practices can propagate problems when new threats occur. Spohn Security Solutions offers advice on how to handle and defend against such problems.
(Austin, TX) January 15, 2018—As new estimates predict cybercrime costs will exceed $2 trillion by 2019, many consumers are wary of letting companies handle their personal data. Lack of diligence in the business world has dominated headlines, leading to serious mistrust on the part of consumers. Currently, 68% of consumers don’t trust companies to handle their personal data securely and keep it protected from hackers. (1)
Companies need consumer data for invoicing and other legitimate business purposes. This means that methods must be developed for effectively securing data to prevent personal information from falling into the wrong hands. Cybercriminals quickly devise strategies to overcome older security measures, and it’s a sure bet that they’ll continue to exploit any possible vulnerabilities in new security patches, etc. However, there are some basic practices one can implement which can help protect most consumer data. It’s also important to keep customers in the loop regarding how the company handles and protects personal consumer information. Spohn Security Solutions has a few suggestions in this regard:(1)
1) Use multiple authentication layers, and follow this up by letting customers know who will have use of customer data and how it’s secured from unauthorized use.
2) Make sure your company is focused on security not compliance. This means following a list of best practices to ensure that your customers’ information stays safe. PCI, HIPAA, SOC compliance cover the MINIMUM acceptable level for many aspects of data security: Employee procedures to data encryption. Compliance will come with security. Compliance is great to advertise on your website and in many cases, require by law, but a secure network lets you sleep at night.
3) Make your consumers’ privacy a competitive advantage for your company. Destroy customer data once it’s no longer needed or required to be kept by law. Let customers know that you won’t keep any credit information or personally identifiable information on file longer than legally required. Communicate your assured cloud destruction and data retention agreements; explain this is why they must enter their data repeatedly on your site. Most will appreciate your attention to maintaining their privacy, even if it is inconvenient. (2)
However, even with these and other measures in place, employees sometimes forget to implement them, or new employees who haven’t yet been fully trained on current security practices can commit errors. Spohn Security Solutions has been in the cyber security business for 20 years and has observed that not all companies maintain an appropriate level of vigilance regarding employee security training.
“It’s vital that companies continue to provide security training for their employees. When they train but then forget to regularly update and check on their employees’ practices, it’s as if they were never trained at all,” said Timothy Crosby, senior security consultant for Spohn Security Solutions.
When these gaps occur and new threats hit, serious risks can be propagated throughout the system, leaving vulnerabilities for hackers to exploit. One example was the WannaCry ransomware attack in May, 2017. That attack, termed “next-gen ransomware,” was the largest computer virus /ransomware infection in history. As opposed to regular ransomware, which encrypts only the local machine it lands on, this type spreads throughout the organization’s network from within, without having users open emails or malicious attachments (which is why it’s called a “ransomworm”).(3)
Crosby says, “A big risk is companies becoming complacent with their security watchfulness. Windows had released an updated security patch prior to the WannaCry attack, but not everyone updated their system. There’s a risk of companies providing employee training and information but then forgetting to provide continuity.”
About Spohn Consulting, Inc.
Spohn Consulting, Inc., an Austin, Texas-based, privately-held company established in 1998 by Darren L. Spohn, is an authority in navigating Fortune 500 companies and medium to small businesses through the security business challenges of the 21st century. Spohn Consulting works with organizations to assess their information security posture (the security status of an enterprise’s networks, information, and systems based on identification and authorization resources, e.g., the people, hardware, software, policies and capabilities in place to manage the defense of the enterprise and to react as the situation changes), offer customized instructor-led training, and sell telecom services. Utilizing varied scopes of engagement, they deliver recommendations which can be measured against best practice or compliance standards.
1 Gerber, Scott. “9 Ways to Protect Your Customers’ Data and Keep Them in the Loop.” The Next Web, 2 June 2017.
2 Sep 30, 2011 | Updated Oct 3, 2017. “Customer Privacy Is An Important Part Of Business Strategy.” ReputationDefender, 3 Oct. 2017.
3 Zeichick, Alan. “Self-Propagating Ransomware: What the WannaCry Ransomworm Means for You.” Network World, Network World, 16 May 2017.