How to Stay Protected in this New Age of Data Breaches
The rate at which data breaches are hitting and impacting businesses shows no sign of slowing. In fact, according to the Identify Theft Resource Center, the number of breaches so far this year has already surpassed the number of breaches around the same time last year by almost 35%. (Here’s a list of breaches that have already occurred this year.)
Security breaches keep happening because they can. In the payments industry in particular, there have never been more options for consumers to purchase goods and services, whether it’s through an e-commerce website or with a mobile device at a cafe. Omnichannel payments have provided convenience for both sides of the transaction, but they have also become opportunities for criminal hackers, and as a result, vulnerabilities for consumers.
What do hackers do with the information they rob? Engage in fraudulent activity with stolen identities. However, this doesn’t necessarily happen right away. According to a report from Javelin Advisory Services titled "2017 Data Breach Fraud Impact Report: Going Undercover and Recovering Data," three-quarters of total fraud losses for last year arose from individuals who had been victims of a data breach within the previous six years. Not comforting. So, if you made a purchase at a company that then experienced a data breach, you might be paying for it years down the road. As a customer, that’s a pretty scary thought.
Businesses need to do their part. It is absolutely the responsibility of a business to ensure their data and the data of their customers is safe, whether it’s being processed or it’s at rest, being stored in a database. Customers put trust into merchants they give their business to, assuming their information will not be exposed outside of the transaction they’ve engaged in.
But, it happens. It happens to businesses of all kinds: small or giant. Just recently two major brand names were hit hard by breaches: restaurant chain Chipotle and retailer Kmart. This is also the second time that Kmart has been hit with malware affecting its payment systems. Even household names are struggling to protect themselves and their customers. Have data breaches become somewhat inevitable? Yes. However, businesses have the tools available to them to protect themselves against the impact of a data breach.
Proactivity and preparation is everything. All too often, more energy is put into cleaning up the mess, after a breach has occurred, than planning ahead and preparing for a breach. Everyone should have an incident response plan to control the situation during a breach. This will help you control actions and communication, and ultimately lessen the impact of a breach. Let’s not forget that coupled with that plan should also be the development and consistent updating of a comprehensive security program, to prevent the actual impact of a breach.
A risk management program will help you decide where to focus your energy and close your biggest vulnerabilities first. At least once a year, conduct a risk assessment in as large of a scope as you can. Bring in stakeholders from all over the business and openly discuss where each group sees areas for improvement. It’s also helpful to evaluate your business on a security maturity model such as COBIT.
What should you include in your security program? Powerful security solutions. The PCI Security Standards Council recommends payment data solutions like tokenization and point-to-point encryption (P2PE) that can not only help businesses better manage PCI compliance, but also provide strong, modern encryption. Tokenization won’t keep a hacker from breaching a system but it drastically reduces its impact. Tokenization is a process that replaces actual sensitive data, like a credit card number, with a valueless token that’s otherwise useless to a criminal seeking the information. Combined with P2PE, a solution that protects sensitive data with encryption from the moment it is captured through its full lifecycle, businesses can prevent the use of sensitive data for fraudulent activity in the event a system or network is breached.
There’s no way around it. Breaches will happen and if businesses don’t put the right steps into place to protect customer information, the impact can be devastating and lasting. Do the research and ask the questions that will get your business set up for a much less painful impact if and when a breach does occur.
Justin Shipe is VP of information security for CardConnect, a leading provider of payment processing and technology solutions, helping more than 67,000 organizations – from independent coffee shops to iconic global brands – accept billions of dollars in card transactions each year.