Data breaches can be expensive. Yahoo is the latest company to feel the fallout from a data breach. After two record-setting breaches affecting a total of 1.5 billion customer accounts, the search engine company is now facing not only a class-action international lawsuit, but also the prospect of Verizon pulling out of a $4.8 billion deal. Nearly nine out of ten organizations have experienced data breaches, according to last year’s annual Ponemon Institute benchmark study. The average cost of a data breach rose to a record $3.8 million in 2015, equivalent to $145 to $154 for each stolen record.
Larger companies like Yahoo may be able to absorb costs like this and survive, but for a smaller company, this type of crisis can mean going out of business. Here are five tips for protecting your e-commerce data so that your customers stay safe and you stay in business.
If You Can’t Protect It, Don’t Collect It
The surest way to avoid a data breach is not to collect data. You can greatly reduce the risk of a major breach by restricting your data collection to only the data that you truly need for marketing, sales and customer service. For instance, if your marketing strategy includes featuring an opt-in form to get customers on an email list, consider whether it’s truly necessary to collect anything more than a first name and an email address. When processing sales transactions, redirecting customers off your site to a third-party processing service will relieve you of the need to collect credit card data.
Secure Your Site and Connection
For the last couple years, Google has given ranking preference to sites that use a secure HTTPS protocol instead of the less-secure HTTP. This year, Google is stepping up the incentive to adopt HTTPS by explicitly warning customers when they’re about to transmit password or credit card data over an unsecure HTTP connection. A secure connection is vital to security. HTTPS uses stronger authentication along with encryption to provide enhanced security for data being transmitted. Setting your site up with an SSL certificate to provide HTTPS protection is a fundamental step for securing your website.
In addition to setting up your site with HTTPS, you should also set up a secure network connection such as a VPN connection to use when you and your employees connect to your site. VPN encrypts all traffic between your device and the Internet, whereas HTTPS only encrypts traffic between a browser and a particular site.
Use Up-to-date Encryption
When using encryption, it’s important to make sure your encryption is up-to-date, says Craig Spiezle of Online Trust Alliance. Most public email service providers rely on unsecure or outmoded encryption methods that leave data vulnerable. Current encryption methods use strategies such as decentralization and central key management to strengthen security. Make sure your IT team reviews your encryption on a regular basis to keep it current.
Secure Your Employees’ Devices
Employee devices can create vulnerabilities in your network, particularly if you have a BYOD policy. Making sure your employees’ devices are safe will help keep your network safe.
To do this, educate your employees about best security practices in addition to your company’s security policies and procedures. Establish policies for what types of devices, operating systems, browsers and software services your company will allow. Require employees to use a secure network when connecting to your server. Configure employee devices so that business and personal data are kept separate. Install remote wiping mechanisms that enable you to wipe out company data if an employee’s device is lost or stolen. Include an identity protection service such as LifeLock in your employees’ benefits packages.
Protect Your Customers
Protecting your customers is another essential part of securing your data. In addition to setting up HTTPS on your site, another way to protect your customers is through requiring strong passwords. Requiring passwords to use 12 to 15 characters will strengthen them significantly, says password security expert Mark Burnett.
You can further enhance the security of your customers’ passwords by implementing two-factor authentication. Use an email, phone call or text message to confirm registrations on your site and to authenticate password change requests.