How to avoid being a target for digital thieves

When it comes to protecting your small business from a security breach, a proactive approach is the most effective. Two fraud experts explain what to do if your garden center is compromised and how to prevent being hacked in the first place.


From Home Depot to Target, many corporations have inadvertently welcomed hackers into their databases. In addition to compromising personal data and putting customers at risk, these companies have further alienated clients with slow, inadequate responses to the crisis. While your independent garden center may not pull in Sony-level revenues, you could still be the victim of a breach. Here’s how to avoid being a target.
 

Understand the threat

“We are living in a world where breaches are the third certainty in life,” says Adam Levin, founder and chairman of Identity Theft 911, an identity protection and data risk services company. “You can put off the day of reckoning, but this is becoming an inevitability. Every business will have a breach at some point.”

Gary Cardone, CEO and cofounder of risk management company Chargebacks911, agrees. “In order to reduce cases of identity theft, it takes vigilant effort on behalf of both the consumer and business owner,” he says. Criminals are flocking to the Internet, and card theft is their biggest attraction.

The best defense means slowing a hacker down and limiting the amount of information they can access. Levin suggests following the three M’s: minimize, monitor and manage.
 

Minimize the risk of exposure

The first step in minimizing risk is to work with an outside security firm that specializes in data breaches and risk management. “It’s a smart idea for a business to do a risk assessment,” Levin says. “Bring in someone from the outside world to help you develop and implement security protocols. The company will look at your threats, vulnerabilities, if you’ve had breach and where you’re at risk of being compromised.”

Another important piece of the puzzle involves asking about a cyber liability or cyber insurance policy. If your provider doesn’t have a policy, Levin suggests looking around, as many of the larger insurance companies offer them. Minimizing the risk also means:

Segment all internal systems so that your POS system isn’t connected to your customer database or even your temperature control systems. A hacker can often find a way to steal credit card information by entering another system. Additionally, always follow Payment Card Industry (PCI) compliance protocols and encrypt credit card and cardholder data. Two-way authentication should be used to ensure employees are alerted if someone tries to use their login to access a system.

Educate your employees. Don’t allow anyone to plug unsecure devices (phones, tablets, computers, etc.) into your systems or access the Wi-Fi. Complete background checks on employees who have access to sensitive information, and prohibit everyone from sharing login information. Not all employees should be able to access all systems. One trustworthy person should be designated the compliance officer. This employee will be notified first when something seems wrong.

Practice the response. All staffers should know how to act in the event of a breach. The response should be practiced in the same way you would a fire drill. As Levin puts it, “Employees are often the hacker’s first line of attack. The security system is only as effective as its weakest link. Your employees can be the equivalent of the disinterested bouncer who will let anyone into the club or Paul Revere and a first responder.”

Require compliance from vendors and partners you have relationships with. They should be following the same security protocols for their systems and employees that you’ve demanded of your own business. You need to uphold these policies both internally and externally.
 

Monitor your data

One thing is certain: If a hacker wants to steal personal data, she will find a way. That’s why monitoring your secure systems is just as important as setting them up in the first place. Cardone suggests regularly monitoring data channels and checking the logs of your database programs to investigate suspicious IP addresses. Remember to save data only as long as you need it. There are guidelines for this available from the IRS, the Federal Trade Commission and other agencies. After the deadline, destroy it properly.
 

Manage your damage

It would be a shame to damage the positive relationships you’ve built with your customers by botching the breach response. Outside security and risk management companies can (and should) help with this. These companies will not only manage the technological side, but they’ll also work with customers to minimize their personal risk and interface with the media. Denying there’s a problem or responding slowly is the best way to alienate your customers. Managing the damage also means:

Act immediately. Alert the local authorities and your insurance company at the first sign of a breach. Contact your cardholders and customers as soon as you know what happened.

Act appropriately. Advise customers to change their passwords and provide sources for them to receive identity resolution services and additional assistance, such as credit card monitoring. Ensure customers have a phone number to call where they can find out how to proceed.

Engage the media. Don’t be afraid to issue a press release or talk to reporters about what you’re doing to correct the problem. Shying away from the media means you’ll miss an opportunity to apologize, take responsibility and assure the public you’re doing everything you can.

A hack is never a welcome occurrence, but it doesn’t have to mean going out of business. With the proper protocols and an effective response, you can keep your customers safe.



Karli is a freelance writer, editor and marketing professional living in Portland, Ore.

April 2015
Explore the April 2015 Issue

Check out more from this issue and find your next story to read.