Recent headlines prove that the threat against customer data is alive and well. Massive attacks on databases from Sony and Epsilon show that big companies with enough money to have the right kind of security don't necessarily have an advantage. Clearly, antivirus, firewall, and other security technologies aren't enough. Companies need to think carefully about how and where they are storing customer data, who has access to it, and how to prevent prying eyes from stealing the data and sharing it with other cybercriminals and manipulating customers with email phishing attacks.
1: Limit access to customer PII
Companies today have an open culture when it comes to data. But that policy shouldn't be consistent across all data types, particularly personally identifiable information, or PII. In our company, we recently reviewed who has access to our customer database and noticed that not all of the authorized users needed access to certain types of data. As a result, we have pared down access to just a few employees.
2. Bulletproof your security software and your network
Protect customer data as you would financial data. Organizations can refer to publicly available guidelines, such as those published by the PCI Security Standards Council. You should encrypt all of your customer information at the database level to avoid unauthorized users from hacking into your accounts. You may want to consider Tokenization, which is a higher level of security. Often used for e-commerce transactions, including credit card data, tokenization replaces sensitive data with unique identification symbols so that PII stays out of the data stream.
Another option is to deploy anti-phishing software, which can secure the email channel by blocking malicious emails purporting to be from you. The software does this by checking for proper email authentication and issuing alerts when fraudulent activity is detected. These are just a few examples of the kind of security protections you need for customer data. A third-party security audit of your systems and processes can evaluate your infrastructure, provide recommendations, and issue annual certifications.
3. Require that partners and vendors with access to customer data also have the best available protection
Agencies, software firms, and email service providers should have the same (if not better )controls as your company. For instance, if you use a marketing automation solution for campaign generation and tracking, your provider should require IP address blocking so that only users from within your firewall can access customer data and email addresses. External IP addresses will be locked out if they obtain passwords and attempt to log in to a customer database. If any of your partners stores customer data for you, understand exactly how they are securing their information systems and handling access control.
4. Get the help of a lawyer
If a breach occurs, your company could be on the line for thousands or millions of dollars in lawsuits and other fees to your customers. What type of protections can you build into your services to prevent financial disaster and what guarantees do you need to provide to customers if their data is compromised, lost, or stolen? This also applies to your marketing vendors. What are their obligations if a breach occurs in their systems? This could include legal fees and other financial penalties. Have your lawyer draft the appropriate language for your Web site, customer documentation, and vendor contracts.
5. Educate your employees
Developing policies and providing regular training for employees handling customer data is imperative. Consider adding internal security measures to protect against the possibility of social hacking incidents. These are situations in which, for example, an employee who has access to your data has the account password stolen. In many cases, if that password was stolen, there is the possibility that other passwords, such as an email password, were also stolen and a simple email verification link won't be secure enough. To minimize risk in this situation, consider requiring employees to use a two-step verification process to access your data. For instance, employees logging in to your application from a new location would have to use a code sent to their cell phone and also provide an answer to a security question before gaining access. This process is similar to the standard used by many financial institutions.
Adam Blitzer is cofounder and CEO of Pardot, in Atlanta.