How to actually stop dangers to customer information
So you have set up your website and installed anti-virus and spyware software for your business computers. Is that enough security for your online small business’ to meet your legal duties? Sadly for many small businesses and start-ups, the answer is No!
Recent high-profile data thefts show that that consumers are right to be extremely worried about whether personal information is safe with large online businesses that spend a lot of money on information security. Online shoppers trust small ecommerce businesses even less.
Here, we look at why protecting customers’ information is vital for small businesses and the risks for consumers. I outline the 5 essential steps every small businesses must take to ensure that customers’ and prospects’ information is collected, processed and stored securely.
Consumers’ trust in online businesses
Online users have historically had very low trust that their information will be safe with ecommerce businesses. The increasing prevalence of phishing scams, malware, and just plain rubbish customer service makes consumers more wary with their clicks than ever before (Shopify).
An ITPro survey made these startling findings:
- 33 percent of people say they never shop online with lack of trust in online businesses cited as the biggest single reason.
- Of the people not shopping online, 30 per cent identified a lack of trust while personal security was the problem for 20 percent.
- Of the people who do shop online, almost three quarters (72 percent) still had concerns.
People fear that businesses will not look after their sensitive information – any information that can be used to identify a user (individual or business) for example:
- Date of birth
- Payment details
- Transaction history
Consumers rightly see giving personal information to a website they don’t know or can’t trust to keep it securely as effectively playing the game of ‘chicken’ with their lives: akin to standing in the middle of a busy road and then waiting to see if they get run over (something that will inevitably happen).
These are consumers’ biggest fears about online threats (Integralis survey):
- Identity theft (76 per cent)
- Viruses/malware (61 per cent)
- Scam emails (51 per cent)
Small businesses must go the extra mile to get consumers to trust them with their information if you want them to buy from you. Failing to earn consumer’s trust leads to lost sales, lost revenue and lost profits for your business.
Threats to customers’ information
It is undeniable that criminals are working very hard to access business computer networks every minute of every day. They hack into networks to steal sensitive information or install spyware and malware that collect information and pass it back to the hacker.
Business professionals cannot keep an eye on their computing devices 100% of the time. Furthermore, computers and equipment get stolen from businesses and homes every day, giving people with evil intent potential access to business information.
Larry Alton further warns that the increasingly popular practice of using mobile devices for business activities (which 84% of smartphone users do) such as run card transactions and store sensitive information increases the risks to a business’ storage for users’ personal data because big data collection means nothing stored on a smartphone is private. An AVG Technology study’s finding that 90% of businesses were unaware that such smartphone risks existed is even more worrying.
Costs of insecure information
Sensitive information in the wrong hands could be used for a variety of criminal activities including identity fraud, applying for mortgages and loans, and blackmailing customers or businesses.
To get a picture of the catastrophic damage that information security failures cause, take a moment to think about how hackers could use 32 million customers profiles stolen from the two Avid Life Media Inc. websites recently: Ashley Madison – the website for cheating spouses; and the Established Men website that promises to connect beautiful young women with rich sugar daddies “to fulfill their lifestyle needs”.
These are some on the many damaging consequences of the hacks by a group calling itself the Impact Team:
- Demand that both websites be taken down permanently in all forms.
- Publish all customer profiles with their secret sexual fantasies.
- Publish credit card transactions with real names and addresses.
- Publish employee documents and emails.
- Marriages and relationships destroyed.
- Avid Life Media Inc CEO Noel Biderman has resigned
- Avid Life Media sued for emotional distress
- 2 customers so far have committed suicide.
Scott Baldwin succinctly describes the effects and costs to businesses if someone gets access to your information as follows:
“Regardless if they obtained business information or personal information, they may have adequate information to launch a successful social engineering attack against you, your friends, co-workers, business partners, or clients. You may have intellectual information saved on your computer that is valuable to others. The loss of intellectual or proprietary information cost companies millions every year”.
Put simply, information security failures cost customers and businesses in many ways.
Users’ concerns and demands that small businesses take action to protect sensitive information are backed up by legislation in the Data Protection Act 1998 as you will now see.
Data Protect Act 1998
The Data Protection Act, which applies to all businesses in the UK states that:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
While the law does not specify what is ‘appropriate’, businesses have a duty to take all applicable steps that are necessary to ensure that customers’ information is accessed only by authorised people, is not damaged, lost or destroyed. Breaking the data protection rules can lead to fines of up to £500,000, as well as seriously damage a business’ reputation and lead to loss of trust by customers and prospects.
Why small businesses fail at information security
Although we all know information security is important, both in business and personal lives, many small businesses are still not taking all of the necessary steps to ensure their users’ information is collected and stored securely.
I have never heard the observed or heard any of my small business clients mention the extra steps they take in relation to security of customers’ information, which tells me that they are either wishing their legal and moral duties away or they wrongly believe that information security threats do not apply to them.
Here are two possible reasons for this oversight:
- Small business owners/ /managers do not know enough about the information security risks to their information or methods to address them.
- Small businesses are stuck in a conflict between making the business flexible, lean and agile on one hand, and the need to manage and control risk and to act in a considered and responsible way (Matt Palmer)
I strongly recommend small businesses accept that the security of their customers’ information is critical for their business success. Furthermore, information security should be built into your strategic plans and given the priority it deserves.
So what more should small business do to protect customer’s information?
Protecting sensitive information
There is no “one size fits all” solution to information security. The security measures that are appropriate for your business will depend on its circumstances, so you should adopt a risk-based approach to deciding what level of security you need.
A good approach to information security requires several layers of security. A multi-layered strategy will help to ensure you have the right systems, practices and policies in place to collect, store and protect sensitive information.
The cost of implementing business security software may seem high, but when you take consider the fact that 80 per cent of small businesses fail within the first 18 months, and a large reason for that failure is inadequate security, you should realise that the cost is worth it.
Let’s take a look at the 5 essential elements to protecting your business information and giving consumers faith that their sensitive information will be secure with you:
- Secure Sockets Layer (SSL)
SSL is the web standard for encrypting the connection between a user’s web browser and an e-commerce website’s server preventing eavesdropping, tampering and message forgery (Trustico). Consumers can see that a page is secure by by ‘https’ and a padlock displayed in their web browser’s address bar, as shown in the following image:
A survey found that 86% of online shoppers feel more confident entering personal information on sites that display this type of security indicators. Search Engine Land says that search engines are also increasingly giving sites with these signals higher rankings in organic search results, although the effect is minor in the overall rankings algorithm .
SSL certificates, which cost around £100 are typically used on webpages that users enter their personal information such as the shopping cart, registration and sign-up pages.
You can test whether your website users’ personal information page is secure at https://www.whynopadlock.com.
2. Technical security systems
Small businesses should consider having two types of technical security systems:
Intrusion Detection Systems (IDS)
An Intrusion Detection System (IDS) is software application that monitors network or system activities for malicious activities or policy violations and produces reports to an analyst to decide if it is an attack or not and respond appropriately.
You can think of IDS like a hyper alert guard dog – it should bark loudly when someone enters your property, but it is up to you to identify the intruder, establish whether they are authorised and/or up to no good and then respond appropriately.
Encrypting user information
Encryption is the transformation of text into unreadable cipher-text. It typically involves substitution of characters with different characters, and permutation, which changes the order of the characters (Scott Baldwin).
Encrypting users’ sensitive information can help to ensure that personal information cannot be read if it falls into the wrong hands.
Some encryption programs (usually free programs) can encrypt files but not folders. So if you only have a few files you need to encrypt, then this could be the right solution for you. Most commercial encryption programs can encrypt files and folders. Some will even encrypt entire disk partitions.
The best commercial encryption programs today use 256-bit Advanced Encryption Systems (AES), which are claimed that without the right key, billions of computers running simultaneously would not be able to decipher your data within the lifetime of the universe.
It is important that the encryption program you chose is unobtrusive and easy to use; otherwise it will not get used, and therefore leave information unprotected.
Good encryption programs cost between £20 to £50 including Folder Lock 7, rated as the best encryption software by Encryption Software Review and VeraCrypt – a free encryption software recommended by Lifehacker.
While encryption is not 100% fool-proof, it is better than leaving your files out in the open (Lifehacker). This may well be your last line of defence if your other security controls become compromised.
Your information security strategy should include both physical and technical security controls. We will now take move on to the physical security of customer information.
3. Physical security
The physical security of your business and users’ information is as important as your security systems to protect electronic information. You should examine all aspects of the physical security of your business, including your location, having adequate locks and lighting, as well as visible security measures such as CCTV.
Considering that many security incidents are the result the theft or hard copy records being left abandoned, it makes sense to focus on the safe storage of your business’ information by implementing these 4 essential steps:
- Establish a culture for clearing workspaces/desks at the end of every workday so that sensitive information cannot be stumbled upon.
- Lock sensitive information in a room in locked cabinets with strict access controls to the keys. Always remove keys at the end of every working day and store them in a locked closet elsewhere in the building.
- Collect all paper waste in secure bins and shred them on-site at the end of each day. Recycling services can help to ensure shredded information is recycled securely, while providing a paper trail to show that business information is destroyed securely.
- If employees use laptops at their desks, they should take the laptops with them when they leave or secure them to a permanent fixture with a cable lock, such as the one atLockout-lock. Motion sensing alarms such as the one at Amazon are also available to alert you if your portable equipment is moved.
These are just some of the many physical security measures that small businesses need to consider to keep their equipment and physical security of users’ information secure, ensure only authorized people can access them and dispose of sensitive records properly.
4. Roles, responsibility and management
One of the keys to small businesses implementing security measures and keeping on top of information security is identifying a person or team in your business to take responsibility for information security measures on a day-to-day basis.
The person (s) should look at the information security threats to your business as a whole, and plan accordingly. The nominated person (s) must also have the authority and resources to perform the information security role effectively.
Some of the more important tasks for this person (s) include:
- Carry out a risk assessment of the business’ information security threats and devise strategies to act on the findings.
- Write procedures for your staff to follow.
- Organise information security training for staff.
- Respond to information security breaches.
Your business’ information security is everyone’s business!
While the person (s) responsible for information security will have overall responsibility for strategy and implementation, it is your staff who will be using the equipment and systems that contains customers’ sensitive information. So they have to implement your business’ information security policies and procedures without exception.
Computer Weekly advises that:
“Getting the information security message to staff and managers is like running a political campaign. It requires constant reinforcement for key messages, visible response to critical events, countering negative behaviour, and a problem-solving approach”
Disclosure by staff of mis-management, illegality or some other wrong doing with regard to information security should be encouraged and actively supported by senior management.
Information security breach
A key aspect of meeting your Data Protection Act duties, emphasized in the 7th Data Protection Principle, is ensuring your business has effective processes in place to detect and report information security breaches – a breakdown in information security that leads to real or potential exposure of users’ information to unauthorized people.
Regardless of how the breach occurs, you must respond to and manage the incident appropriately. The response to the incident should include a recovery plan and where necessary, procedures for damage limitation, informing customers about an information security breach who may be affected, and notifying agencies like the Information Commissioner’s Office (ICO), Police and media.
The Policy is acts as your plan to keep users’ information safe, without which you would be operating in the dark, with no idea of what success looks like.
As the Policy is the most visible element of your information security measures that customers and prospects will see, it should be prominently displayed on your website. Without it, visitors could well go to competitors they trust more.
Developing a Data Protection policy should not be daunting as the document essentially describes your business’ approach to collecting, using, sharing and storing sensitive information.
Advances in technology enable businesses to collect, process and share a lot of information about customers and prospects, more easily. This has obvious benefits in terms of being able to be responsive. However, it also gives rise to greater security threats to sensitive information.
The legal, ethical and commercial imperatives for small businesses to collect, process and store users’ sensitive information securely is multi-faceted, as you have seen. Consequently every business should assess its potential security weak points and develop adequate strategies and procedures to mitigate them.
Secure collection of user information is the just the beginning. Technological solutions including encryption and intrusion detection software ensure that information you collect is stored securely and cannot be read if it falls into the wrong hands. Safety-focused roles, procedures and policies provide additional vital layers of protection.
The are many benefits to getting your business’ information security right including helping to standardise processes, reduce errors and failures, build credibility, meet compliance and regulatory requirements (Matt Palmer)
We’d love your feedback about this post. Have you found it helpful? Which information security measures have worked especially well for your business? Please leave you comments in the section below.
Other posts you may like:
Our Digital Marketing Services:
smallbiz-emarketing provides expert market research, marketing on all digital platforms and offline advertising consultancy specifically for small businesses and start-ups for whom money is tight. Checkout our services page to see how our digital marketing services can help your business to get more customers and sell more, faster. Also checkout our pricing page to see our genuinely affordable digital marketing packages for small businesses and startups. Why not sign up for our free monthly newsletter using the simple form on the right? We would love you to also follow us on social networks . Finally, please share this article with your network using the share buttons below.