3 simple steps to help you better protect customer data
The more we buy and transact online, the more our personal data is shared and stored with organisations. But there’s a trade-off; while it’s more convenient, we’re also trusting businesses to keep our data secure. Here we help you understand what data might be at risk, how you can better manage it and help to keep it more secure.
Why do I need to protect customer data?
Stolen customer data can be highly lucrative for cyber criminals, which means you need a plan in place to manage and protect it.
Without customer data, many organisations would struggle to operate. And if your customer data is stolen or compromised it could interrupt your business continuity or have significant financial or reputational impacts. You might also need to consider regulatory implications of data breaches and the potential for associated penalties on your business.
In Australia, a cybercrime is reported every seven minutes, with fraud, online shopping and online banking making up 54 per cent of all reports, according to the ACSC annual cyber threat report.
What customer data is sensitive?
Most, if not all businesses collect customer data. To be proactive in protecting customer data that could be most at risk it’s important to consider what cyber criminals might be looking for. The challenge is understanding what’s sensitive and how to secure it. What appears innocent to most, could be regarded as ‘digital gold’ to a cyber criminal.
Bank or credit card details are the most obvious forms of sensitive data. The link to financial loss is easily made. But names or email addresses you might collect for a customer newsletter could also be regarded as sensitive. A data breach of this type of information could put your customers at higher risk of phishing scams.
While a cyber criminal may not be able to take immediate advantage, the pieces could form part of a larger puzzle, which could be used later for financial gain.
The types of data cyber criminals might be after can include:
- Personal data such as names, dates of birth, and identity documentation such as drivers licence details,
- Transactional data such as purchase history or credit card information,
- Contact details such as email addresses or home addresses,
- Unencrypted passwords.
Do I need to collect and store all customer data?
It may be tempting for business owners to collect as much customer data as possible to help improve operations or experiences. But collecting and keeping data ‘just in case’ can potentially create unnecessary risks for your business.
In each case where you collect data, be clear on how you will use it, if and how you will store it, and how you will protect it. For example, if you need to verify someone’s identity using a driver’s licence, you should store this sensitive data securely if you need to retain it to meet regulatory or other requirements.
The type of data you need to collect and store is dependent on your business needs. Ask yourself, ‘If we didn’t collect this data, would it impact our ability to operate?’ Repeating this exercise a few times a year will help you understand what’s important, and what’s not.
How do I protect customer data?
Protecting customer data is an ongoing battle against the increasingly sophisticated techniques of cyber criminals. But there are a few simple steps you can take to help make your business less of a target.
1. Audit your customer data
You can’t manage what you can’t see. Knowing what customer data you have and where it’s stored is an important first step.
When auditing, consider each data collection and storage point. Begin by understanding all the methods your business uses to collect customer data. Obvious places are website forms and any systems you use to manage online transactions.
Things can become harder when you have to consider third-party applications, smartphones, emails and even calendars. These could contain customer locations, messages, contact details and even photos.
You might have customer data stored across a wide range of devices including laptops, external hard drives, USB storage devices and smartphones. If this is the case and you’re not adequately protecting all those devices, you may be putting your data at unnecessary risk.
You may also have customer data lingering in application test environments as a by-product of designing new apps. These environments are typically less secure and may be forgotten after a project. Use fake customer data in these environments.
2. Clean up your customer data
How many times have you seen a customer address file duplicated across multiple projects? Or discovered customer financial data in an excel file, saved on an employee’s personal computer desktop?
If you don’t take a proactive approach to cleaning up your customer data, it might be impossible for you to know where customer data is saved. And you may also find it a lot harder to know if you’ve suffered a data breach. So, a key part to protecting your customer data is deciding what you really need to keep and where it should be stored. And then routinely deleting anything you no longer need. Remember to consider any regulation relevant to your business or industry when making these decisions.
You should also consider implementing a clear process and set of policies around customer data management. This can help ensure consistency and compliance when your business collects and stores individual data throughout the data journey. It can help you maintain good data hygiene – which means you’ll have less cleaning up to worry about in future.
3. Centralise your customer data and control access
Customer data should be stored in a secure, centralised location with appropriate security protocols applied. And then access to the customer data should be carefully considered. Not everyone needs access to all customer data. For example, do regular staff require wide-ranging and administrative access to do their jobs?
Think about what data access is needed based on the job roles and responsibilities of each team member and then set up the minimum amount of access to support them. The more access given, the greater the impact should any one of those accounts be compromised. Granting access based on minimum requirements reduces risk.
Also consider the devices and networks you and your team use to access customer data, and be sure that stored customer records cannot be inadvertently accessed over the internet. You can explore further cyber security solutions to help increase security of those devices and networks as part of your risk management strategy.
Take a proactive approach to becoming more cyber secure
Trust can take years to build and minutes to destroy. If customers are willing to part with their most sensitive data, then it comes with a responsibility to keep it secure.
Taking a proactive approach to becoming more cyber secure is a critical part of any business strategy. Invest some time today in learning how to get the basics of cyber security right – it’s a worthwhile investment of your time.
Help fight security breaches
By signing up for Cyber Wardens, a program from the Council of Small Business Organisations of Australia (COSBOA) that aims to educate businesses like yours on how to help fight online threats.