Today's businesses run on data. They collect it from customers at every interaction, and they use it to improve efficiency, increase their agility, and provide higher levels of service. But it's becoming painfully obvious that all of that data businesses collect has also made them an enticing target for cybercriminals.
With each passing day, the evidence of that grows. In the last few months, we've witnessed massive data breaches that targeted Neiman Marcus, Facebook, and the Robinhood stock trading app. And they're hardly alone. In recent years, the number of data breaches worldwide has averaged close to three per day.
That statistic suggests that the average business has a target on its back and is running out of time to mount a defense of its data. And doing so doesn't have to be difficult. To help, here's a simple 5-step framework businesses of all sizes can use to protect their customer data.
Step One: Review and Adapt Data Collection Standards
The first step businesses need to take to increase the security of their customer data is to review what types of data they're collecting and why. Most companies that undertake this exercise end up surprised by what they find. That's because, over time, the volume and variety of customer information that gets collected to expand well beyond a business's original intent.
For example, it's fairly standard to collect things like a customer's name and email address. And if that's all a business has on file, they won't be an attractive target to an attacker. But if the business has a cloud call center or any type of high touch sales cycle or customer support it probably collects home addresses, financial data, and demographic information, they've then assembled a collection that's perfect for enabling identity theft if the data got out into the wild.
So, when evaluating each collected data point to determine its value, businesses should ask themselves: what critical business function does this data facilitate. If the answer is none, they should purge the data and stop collecting it. If there's a valid answer, but of a function that's not critical, the business should weigh the benefits the data creates against the possible harm they'd suffer if it were exposed in a breach.
Step Two: Minimize Data Access
After paring down the amount of data to protect, the next step is to reduce the data's attack surface by minimizing who has access to it. Access controls play an outsize role in data protection because the theft of user credentials is the primary way that malicious actors find their way into protected systems. For that reason, businesses need to apply the principle of least privilege (PoLP) to both their data repositories as well as the systems that connect to them.
And minimizing access to data has another beneficial side effect: it helps to prevent insider threats from causing a data breach. Research firm Forrester predicted that insider threats would lead to 31% of breaches this year – a number that will only grow from there. So, by keeping sensitive customer data out of most employees' hands in the first place, businesses are addressing internal and external threats at the same time.
Step Three: Eliminate Passwords Wherever Possible
Even after reducing the number of people that have access to customer data, there's still another way businesses can make it harder for hackers to gain access to it. And that's to eliminate passwords as a primary authentication method wherever possible. It's a small change that can make a world of difference.
According to the 2021 Verizon Data Breach Investigations Report, 61% of all data breaches last year involved the use of credentials, stolen or otherwise. So it logically follows that the fewer credentials there are to worry about, the better. And there are a few ways to reduce reliance on conventional password authentication systems.
One is the use of two-factor authentication. This means accounts require both a password and a time-limited security token, typically delivered via app or SMS. But an even better approach is the use of hardware security keys. They're physical devices that rely on unbreakable cryptographic credentials to control data access. With them in use, the threats of phishing and other social engineering attacks are greatly diminished. They're the best current secure authentication method, at least until solutions like Hushmesh go mainstream.
Step Four: Encrypt Data at Rest and in Motion
While it is true that compromised credentials are by far the biggest threat to cause a data breach, they aren't the only threat. It's always possible for an attacker to exploit a software flaw or other security loophole to bypass the normal access control methods and gain access to customer data. Worst of all, such attacks are both difficult to detect and even harder to stop once in progress.
That's why step four in any competent data protection plan is to ensure that all customer data remains encrypted at all times. This means using software that employs strong encryption as data passes through it, networking hardware and components that employ encryption, and a data storage system that allows for data encryption at rest. Doing this minimizes the data access an attacker could gain without credentials and can help contain the damage if a breach does occur.
Step Five: Develop a Data Breach Response Plan
No matter how you look at it, there's no such thing as perfect cybersecurity. Attackers are always hard at work looking for weaknesses to exploit. Businesses that prepare well will eliminate or minimize many of them. But that doesn't mean a data breach will become impossible.
That's why the final step in the customer data protection framework is to develop a data breach response plan. It should give the business a roadmap to help it respond if an attacker does gain access to customer data. The plan should spare no details – spelling out everything from how internal IT teams should react, who the go-to 3rd-party security consultants are, and how customers are to be notified of the breach.
And that last part is quite possibly the most important. In the aftermath of a data breach, how a business goes about making its customers whole can determine how well it will bounce back, if at all. For example, it might be wise to partner with a consumer security firm like Aura to provide affected customers with financial fraud protection and identity protection in the aftermath of a breach. That will reduce the risk of any follow-on events that further damage the business's reputation.
The Bottom Line
The simple fact is that businesses that have yet to suffer a data breach are operating on borrowed time. And the odds are very much against them. But applying the framework detailed here will go a long way toward shifting the odds back in their favor. It will minimize the risk of a data breach, limit the damage if one does occur, and help the company deal with the aftermath. In the imperfect world that is the world of cybersecurity, there isn't much more any business can ask for.