Blog Posts

3 Steps to Immediately Enhance Cyber Security During the Holidays

With the busiest retail month of the year now upon us, security breaches, such as Target debacle last year, are on the mind of many consumers this year. Although these fears haven’t stopped the tide of online commerce, you don’t want to find yourself in a Target-style situation where you risk losing millions of dollars in profits and lawsuits, let alone untold capital in disgruntled customers (many of who use social media to amplify their grievances) and reputation.

Here are three steps that can be implemented immediately, if you haven’t done so already.

1. Make sure your C-Suite, Legal Counsel, and Board of Directors understand your security strategy.

The Target breach taught us that your C-Suite, your Legal Counsel, and even your Board of Directors must have working knowledge of your company’s security strategy. I discussed this in more detail in my previous post, but let me reframe why doing so is crucial.

More often than not, the people asking the tough questions following a breach are not IT people—they are your customers, the media, federal and state regulators, and all the lawyers representing these various groups. If you cannot articulate your security program in terms that your non-IT people can easily grasp, you’re going to find yourself in hot water with the various circles outside your company. Your general counsel must be able to describe how existing security controls are “reasonable and appropriate,” given the level of risk and regulations involved if you want to emerge from a crisis like this with any credibility.

2. Clearly state your privacy and security policy to your customers.

What sort of information are you collecting from your customers? How is it stored? What is your policy should a data breach occur? What types of security technologies have you implemented to protect them from hackers?

State these answers in your privacy policy so that consumers have a baseline about what they can expect from you. Let them know you’ve deployed the latest technologies, such as chip and pin PCI. Encourage the more paranoid of your customers to use 2-factor authentication.

Writing out these points not only gives the end user a level of comfort (and may cause them to choose your storefront over a similar one without these policies in place), it also clarifies to you and those in your organization (see #1 above) exactly what measures you’ve put into place, which will make a difference should you ever find yourself in a situation that’s even remotely similar to Target’s.

3. Communicate with your customers.

Of course, posting your privacy and security policies don’t do your customers much good if they’re hard to find on your website. Instead make sure that information is easily available (preferably in multiple places across your site), and provide an 800 number (or at least a list of FAQs) that customers may access to provide them with a good understanding of what’s involved and reassure them you’re on top of everything.

Ultimately, you want to be as transparent as possible with your customers so that they trust you. And trust me, the clearer everything is for them, the clearer it will be internally. Most major breaches, including Target’s, resulted primarily from a lack of communication. The Target hackers were able to make their play because Target’s Minneapolis team failed to respond to an alert sent by their Bangalore team. And there’s just no excuse for that.