Follow these steps to ensure safe data practices and to foster customer trust
Most small businesses, even those without an e-commerce website, collect some form of personal data from customers over the Internet. Small banks, individual insurance agencies, non-profit organizations, doctors’ offices, and even elementary schools provide forms for people to submit online—including addresses, Social Security numbers, credit card data, phone numbers, and the names of family members. We all trust that these organizations will prevent our sensitive information from falling into the wrong hands. In fact, if your small business accepts customer data over the Internet, you’re responsible for protecting it from the moment a customer hits ”send,” while it’s archived on your network, and until you delete it.
Protecting customer data is smart business. People lose trust in companies that don’t protect their personal data, and untrustworthy companies lose business. Also, many small businesses are required by state and federal laws to provide certain privacy protections; and, if data is lost through a security breach, those companies face stiff penalties and hefty fines. Failing to protect customer information can devastate a small business.
In honor of National Cyber Security Month, make sure you follow these five steps to help ensure safe data practices and happy customers.
1. Design a secure website. The first step is to build a website that customers can trust. Provide a secure URL that starts with ”https” and encrypts traffic. (I always advise readers to submit credit card numbers and other sensitive data only through https websites.) Your web server should support both https and TLS/SSL (Transport Layer Security/Secure Sockets Layer) encryption. Check with your web hosting provider if you have any questions about the security of your website.
2. Control access to sensitive data. You need to know where customer data goes and who has access to it once it enters your network. If there’s a data leak, you must be able to track it down to the database or the server it was on and to the people who had access to it. No matter how much you trust your employees, limit access to customer information to only those employees who need it to do their jobs. You can use access control lists (ACLs), for example, to make sure that only authorized employees can access credit card numbers.
The same goes for your partners’ networks, as well. Many small businesses share customer data with their affiliates, but you can do that only with permission from customers. Make sure the procedures you use to protect customer data on your internal network are also in place externally, including with partners and any hosted services you use, such as in the cloud.
3. Use a comprehensive range of security technologies. There is no single solution that will fully protect your customers’ data. You need to use a range of security technologies, including password protection on computers and mobile devices, secure Internet connections, encryption software, and content monitoring and filtering tools. These technologies can help prevent data from being stolen or illegally transferred, such as from an authorized computer to an unauthorized USB flash drive. You can also use them to track outbound traffic and stop sensitive information from being transmitted. To make management easier, consider a security appliance that provides several security technologies in a single box, such as the Cisco SA500 Series Security Appliance.
Decide, too, which types of data need stronger security methods. For example, customer data that can aid in identity theft, such as Social Security numbers, requires greater protection than public information such as phone numbers.
4. Get rid of data you don’t need. Analyze the data you’re collecting and make sure you really, truly need it. For example, do you need to collect all nine digits of a social security number or can you use just the last four to identify individual customers? Find out, too, how long you need to retain customer data. Some organizations, such as law firms, are required to keep client records for a certain number of years, depending on state laws. If you find you don’t need it, delete the data—but make sure you do so securely with a paper shredder or even a disk shredder.
5. Physical security is important, too. Don’t forget to physically lock down your customer data. If you keep paper records, make sure filing cabinets are locked as well as the storeroom that houses them. Provide laptop locks for employees who leave their laptops at work to discourage theft. Naturally, doors should always be locked after hours, and only certain employees should have the keys.
Of course, all of these security measures are only as effective as the employees who use them. So, all employees need to be trained to correctly use the security technologies to protect customer data. Everyone should understand how important it is to protect customers’ sensitive, personal information.
What steps do you take to protect your customers’ private data?