Last week news broke that major retail stores David Jones and K-mart had customer data compromised. This might leave many smaller organisations worried. If the big players can't keep customer data safe, what chances do small-medium organisations have? But the answer is plenty, as long as you make data security a priority.
Regardless of the size of your business, the Australian Government's Department of Communications and Arts says it important you keep your customer data safe; not just from a reputation perspective, but also from a legal perspective.
If you haven't done so already, make sure you read the Australian Privacy Principles so you have a sound understanding of your legal obligations when it comes to keeping customer data safe.
How do I Keep Customer Data Safe?
While many assume it will be hackers who steal customer data, you might be surprised to learn there are many other threats, including staff, ex-employees, thieves breaking into your office and stealing equipment, not managing mobile devices securely, and staff carrying data out of the office on portable media such as a USB.
To manage these threats, you must first develop a good overview of the personal information held by your organisation, as well as develop a sound understanding of how your organisation currently manages this information and who has access to it. Based on this information, there are then a range of strategies you can implement to keep your data safe.
Strategies to Keep your Customers' Personal Data Safe
There are a number of strategies organisations can implement to keep customers' data safe, including limiting who has access to it. Outlined below are a few of the key strategies.
1. Never Store Customers Passwords in Clear Text
Unfortunately customers often use the same password for multiple sites. This means if you get hacked or private information is leaked, you are potentially exposing your customers to great risk. IT managers should ensure that the software that they use, particularly systems accessible from the Internet, store passwords in a secure way. Ask your software vendor how your customer passwords are encrypted - and ensure that the method they use is a one-way hash using a strong slow hashing algorithm such as PBKDF2 or bcrypt with long random salts per password. If you're not sure if the system you are buying meets these requirements, get independent security advice from an IT service provider.
2. Manage your Media
If you use portable media devices such as USB drives to store or move customer data, make sure the data is encrypted. Also, be sure to destroy old media once you are done with it. Don't leave USBs, portable hard drives or CDs with data on them lying around your office. There are tools out there that can safely erase data from digital media mitigating this risk. Also most portable devices come with encryption software than can be employed.
3. Implement Mobile Device Management and Endpoint Encryption
Mobile devices such as laptops, tablets and phones are now main stream business tools. The flexibility of working anywhere is a great advantage to business, however with this benefit comes increased risk of data leakage and theft. Consideration must be given as to how to manage data on mobile devices, especially considering mobile devices are more likely to get lost and end up in the wrong hands. If this did happen would you be able to remotely wipe all data on your laptop or phone? If the answer is no, you should implement mobile device management and endpoint encryption. Also, Microsoft Exchange provides this capability straight out of the box. If you are thinking of upgrading to Exchange 2013, read our special report about key considerations.
4. Educate Your Staff about Phishing
Modern versions of Windows make it vastly more difficult for hackers to break in directly. This means hackers are much more reliant on social engineering granting them access through phishing scams. Phishing scams are fake emails, tweets, Facebook posts, instant messages and so on, which can look incredibly authentic.
It is important to educate your staff about phishing scams and give them guidance about what to look for. For tips about how to spot a phishing scam, click here.
5. Monitor your logs
Almost all IT systems produce log files, but many companies never actually look at them until a problem occurs. Logs files can provide valuable insight into your IT environment and system and let you detect problems before they become a big issue.
For example, a log analysis system could help you identify that somebody is repeatedly trying to access a customer's account with the wrong password and that they're connecting from an unusual country. You could use this information to block the source of the hacking attempt.
Monitoring logs manually can be a very tedious task, but a high quality IT service provider can do this for you efficiently (using a mixture of people and sophisticated tools) and provide proactive notifications about potential issues before they problems.
6. Protect your Website with Web Server Encryption
If you have an e-commerce site, or any website that handles any personal details for example a contact form, make sure your website is protected with web server encryption. Web server encryption such as SSL ensures sensitive information sent across the internet is first encrypted so only the intended recipient can understand it. Make sure that whoever is hosting your website is using the security protocols which don't have known flaws. You can use this free test to check your secure website.
7. Patch (Update) your Servers
Many people assume if your computer seems to be working fine then there is no need to apply a patch or preventative maintenance. After all, "If it ain't broke, don't fix it." But this approach might leave the door open for malicious software such as malware to creep in, which is why it is important for organisations of all sizes to have a patch management strategy.
If you outsource your web hosting to a third party, make sure they have a patch management policy and hold them to it.
Australian Government Resources on Keeping Customer Data Safe
We've listed some resources that you may find useful in assisting you in keeping your and your customer's data safe.
- Privacy Act 1988
- Your Guide to Getting Online - Protecting your Customers
- Stay Smart Online - Protect Your Business
- Office of the Australian Information Commissioner - Guide to Securing Personal Information
About F1 Solutions
For over 20 years F1 Solutions has been building quality software solutions for Federal and State Government departments, small and large not-for-profits, and businesses in Canberra and across Australia. We also provide organisations with trusted IT support and advice, as well as a range of other services.
- IT Support
What others say About Us
“Our relationship with F1 Solutions has been productive, professional and consultative. We have never been in any doubt as to what to expect and when to expect it. No question was left unanswered and no problem was too big or small to deal with.”