Organisations are increasingly going public with news of security attacks and data breaches, often notifying their customers directly, yet according to a recent study from Centrify, 75% of UK adults would stop doing business with a company if it was hacked. Conversely, this suggests that 25% would still continue a relationship with the company.
To some degree, most consumers expect to be hacked today, with 73% in the UK admitting that it has become normal or expected for businesses to be hacked. Despite this, only half feel that they are taking enough responsibility for the security of their customers’ or members’ personal information.
Most individuals believe that security is the responsibility of the business; here are five top tips on how a business can actively protect itself and reassure customers that security is central to its processes
Good ‘password hygiene’
Passwords can provide hackers with one of the easiest ways to breach an otherwise secure system and educating customers on good password hygiene should be central to any business security policy. Advice such as not reusing simple passwords across multiple systems and recommending passwords be changed on a regular basis should be common procedure. Regular communication with the customer on best practice will ensure that password hygiene is front of mind and will provide increased protection and peace of mind for the business.
An alternative to passwords
Password creation and remembering passwords can create a huge level of frustration to both the business and the customer and in reality, passwords alone offer inadequate protection against cyber attacks, data breaches and fraud. An alternative is multi-factor authentication (MFA) which adds a layer of security and is one of the best ways for companies to protect themselves against the leading cause of data breach -compromised credentials. It is, however, crucial that capabilities such as multi-factor authentication are supported across entire networks, users, devices and resources like mobile apps.
Multi-factor authentication requires users to provide extra information using a combination of factors when they access websites and online services: the first factor is typically a username, password, PIN or security question followed by a one-time code sent to a mobile device. Other factors used for authentication could include a fingerprint, retina scan, voice recognition or a smart card.
Clear internal security policies
Educating your own staff and having clear internal security policies are equally as important as those in place for customers along with controlling who has access to what data and giving privileged access only to those who need it as part of their job. Securing enterprise data outside the traditional security perimeter of the business is an ongoing challenge for IT departments. For example, how do they know that a device is adequately protected and not about to infect a network with a virus or leave a security hole making the company vulnerable to hacking? Then there’s the issue of controlling and verifying who is physically using the device.
An ideal way to counteract this threat is to use an individual’s identity as the first line of defence rather than purely focusing on the corporate network. This means that there is a central point of control – regardless of what device is being used or whether the data is held on-premise or in the cloud. Mobile device identity and cloud user identity technology can leverage user and device information and put it into context, determining who has access to what application from which device and location.
Encryption of sensitive data
Businesses should ensure there is process in place for encryption of sensitive data, such as that of their cardholders. This will mean it is unreadable from the moment the card is swiped and throughout the transaction.
As well as offering a competitive edge over those who don’t offer this option, encryption is something that the Payment Card Industry Data Security Standard (PCI DSS) strongly suggests for the transmission of customer data.
Keep customers informed
Finally, should a business’ site be hacked it is important that customers are informed as soon as possible. Under the new EU General Data Protection Regulation (GDPR), a business will be required to notify the ICO (Information Commissioner’s Office) of a data breach no later than 72 hours afterwards, unless it is able to demonstrate that the breach is unlikely to result in a risk for the rights and freedoms of individuals.
By Barry Scott, chief technology officer, Centrify EMEA