Today’s businesses run on data. They retrieve them from customers with every interaction and use them to improve efficiency, increase agility, and deliver higher levels of service. But it becomes painfully obvious that all of this data collected by companies has also made it an attractive target for cybercriminals.
With each passing day, the evidence of this grows. Over the past few months, we have witnessed massive data breaches targeting Neiman Marcus, Facebook, and the stock trading app Robinhood. And they are hardly alone. In recent years, the number of data breaches around the world has averaged nearly three per day.
This statistic suggests that the average business has a target on its back and is running out of time to mount a data defense. And it doesn’t have to be difficult. To help you, here’s a simple 5-step framework that businesses of all sizes can use to protect customer data.
Step one: review and adapt data collection standards
The first step businesses need to take to increase the security of their customer data is to consider what types of data they collect and why. Most companies that undertake this exercise end up being surprised by what they find. Indeed, over time, the volume and variety of customer information collected extends far beyond a company’s original intent.
For example, it’s quite common to collect things like a customer’s name and email address. And if that’s all a business has on its record, it won’t be an attractive target for an attacker. But if the business has a cloud-based call center or any kind of contact-intensive sales or customer support cycle, they are likely collecting personal addresses, financials, and demographics, she then put together a perfect collection to enable identity theft if the data is in the wild.
So, when evaluating each data point collected to determine its value, companies should ask themselves: What critical business function does this data facilitate. If the answer is no, they should purge the data and stop collecting it. If there is a valid answer, but from a function that is not critical, the business must weigh the benefits that the data creates against the potential harm it would suffer if exposed during a breach. .
Step two: minimize access to data
After reducing the amount of data to protect, the next step is to reduce the data attack surface by minimizing who has access to it. Access controls play a disproportionate role in data protection, as the theft of user credentials is the primary means by which malicious actors break into protected systems. For this reason, organizations must apply the principle of least privilege (PoLP) to their data repositories as well as to the systems that connect to them.
And minimizing data access has another beneficial side effect: it helps prevent insider threats from causing a data breach. Research firm Forrester predicted insider threats would lead to 31% of breaches this year – a number that will only increase from there. So, by keeping sensitive customer data out of the reach of most employees, businesses face internal and external threats at the same time.
Step three: eliminate passwords wherever possible
Even after reducing the number of people with access to customer data, there is yet another way for businesses to make it harder for hackers to gain access. And that is to eliminate passwords as the primary authentication method whenever possible. It’s a small change that can make all the difference.
According to the Verizon Data Breach Investigations Report 2021, 61% of all data breaches last year involved the use of credentials, whether stolen or not. So it logically follows that the less reason to worry, the better. And there are several ways to reduce reliance on conventional password authentication systems.
One is the use of two-factor authentication. This means that the accounts require both a password and a time-limited security token, typically delivered through an app or text message. But an even better approach is the use of hardware security keys. These are physical devices that rely on unbreakable cryptographic credentials to control access to data. With their use, the threats of phishing and other social engineering attacks are greatly reduced. This is the best secure authentication method today, at least until solutions like Hushmesh became mainstream.
Step four: encrypt data at rest and in motion
While it’s true that compromised credentials are by far the biggest threat to causing a data breach, they aren’t the only threat. It is still possible for an attacker to exploit a software flaw or other security flaw to bypass normal access control methods and gain access to client data. Worse yet, such attacks are both difficult to detect and even more difficult to stop once in progress.
This is why the fourth step in any competent data protection plan is to ensure that all customer data remains encrypted at all times. This means using software that uses strong encryption as data passes through it, hardware and network components that use encryption, and a data storage system that allows encryption of data at rest. This minimizes access to data that an attacker could gain without credentials and can help limit damage in the event of a breach.
Step Five: Develop a Data Breach Response Plan
No matter how you look at it, there is no such thing as perfect cybersecurity. Attackers are always at work looking for weaknesses to exploit. Companies that prepare well will eliminate or minimize a lot of them. But that doesn’t mean that a data breach will become impossible.
That’s why the final step in the customer data protection framework is to develop a data breach response plan. This should give the business a roadmap to help it respond if an attacker gains access to customer data. The plan should spare no detail – while also explaining how internal IT teams should respond, who the third-party security consultants are, and how customers should be notified of the breach.
And this last part is probably the most important. In the aftermath of a data breach, how a business goes about protecting its customers can determine how well it bounces back, if at all. For example, it might be a good idea to partner with a consumer security company like Aura to provide affected customers with financial fraud protection and identity protection following a breach. This will reduce the risk of subsequent events that could further damage the company’s reputation.
The bottom line
The simple fact is, businesses that haven’t yet experienced a data breach are running on borrowed time. And the odds are stacked against them. But applying the framework detailed here will go a long way in turning the odds in their favor. This will minimize the risk of a data breach, limit possible damage, and help the business cope with the consequences. In the imperfect world of cybersecurity, there isn’t much more a business can ask for.