Are you keeping your customer information as secure as possible? If your answer is “I’m not sure,” it’s time make this a priority. After all, a data breach is not something you want to reckon with.
It’s time consuming and it can impact your bottom line. It could trigger legal reporting requirements and notifications to those whose data is breached (please check with your legal adviser). And because your customers trust you with their information every day, data breaches and fraud represent a threat to your business’s reputation as well. (Again, if you detect a breach, you should always reach out to your legal adviser.)
You may think data breaches only happen to large companies. The truth is, that it happens to businesses of all sizes. The SEC notes that one study found that 60 percent of all targeted cyberattacks happen to SMBs. And another study found that 60 percent of those businesses that are hacked go out of business within six months.
The first step to securing your customers’ data is to learn about data security. Data security is composed of practices and techniques that keep data from being accessed by hackers. It can come in the form of proprietary software or hardware (like firewalls) that detects suspicious activity as well as secure payment devices and constant monitoring of transactions.
Not sure where to go from there? We’ve put together a few tips to help you keep your customer data safe.
1. Know your data.
The first step is to make a list of all the customer data you collect or have on file. That means things like names, physical addresses, email addresses, phone numbers, and billing information. Then list out where you store this information — whether it’s electronically or in a physical filing system. Make sure to be extremely comprehensive; you’ll want a full picture of everything you have access to and where it resides.
2. Restrict access.
Only your most trusted employees and business partners should have access to your customer data. Whether you keep things in a file cabinet, on your computer, or in an online tool, make sure as few people as possible have the keys, codes, and passwords. And keep a careful inventory of who has access to what. That way, if someone leaves the company, you can quickly change codes and passwords to keep things protected.
3. Have strong passwords.
You’ve heard this a million times, but it’s absolutely critical to make your passwords as guess-proof as possible. Your business name or “12345” isn’t going to cut it. Strong passwords have at least eight characters, upper and lowercase letters, numbers, and symbols. You should also enable two-factor authentication — a security process that requires two methods of verification (usually an email address and a texted code) — to log in to your most important apps.
4. Take authenticated payments.
When it comes to face-to-face transactions, magnetic-stripe cards are outdated and a lot less secure than newer payment technologies like EMV (chip cards) and [NFC] (contactless payments like [Apple Pay]). As opposed to magnetic-stripe cards, where customers’ bank account information is static on the back of the card, EMV and NFC transactions are authenticated — meaning they encrypt customer account information as the payment is processed.
Getting set up to accept EMV and NFC (you’ll need a new payments processor) is something you should get on your to-do list ASAP. Fortunately, there are new, affordable readers that make accepting EMV and NFC easy for small businesses.
5. Make sure you’re PCI Compliant.
To make sure business owners keep their customers’ data secure, credit card companies have come up with a series of regulations called the Payment Card Industry Data Security Standard, or PCI DSS.
PCI DSS aims to ensure businesses that accept, process, store, or transmit credit card information maintain a secure environment so cardholder information does not fall into the wrong hands. To be considered compliant, your business needs to adhere to the set of security standards that all five major payment brands have set up through their organization.
Understanding [PCI Compliance] and then making sure you’re compliant can be costly and take a lot of time. And if you accept credit card payments and are found noncompliant, you could end up spending thousands per year in fees. Most payment processors leave it up to sellers to manage their compliance, which takes time and is expensive. But there are payment processors (like Square) that will handle PCI compliance for you.
6. Use spam filters.
You know to steer clear of opening email that looks fishy. But unfortunately, spammers are getting a lot more savvy these days, sending email that looks legit but in fact is not. To make sure you don’t fall prey to one of these scams (where bad guys could potentially gain access to your data), be sure to install a rock-solid spam filter on your email system.
7. Install antivirus software.
You should protect your computer with antivirus software. Same holds true for every single company computer — or any personal computer your employees use to access business information. This doesn’t have to be expensive; there are a number of affordable (and free) antivirus applications out there. It’s a good idea to consult with an IT professional about which one works best for your business.
8. Stay on top of software updates.
We get it — that “install updates” screen pops up, you say “remind me later.” Well, to keep your data as safe as possible, you need to be timely with these, as many software updates include enhanced security features. So just bite the bullet and grab a coffee while things update.
9. Choose partners who prioritize your data security.
When you’re researching vendors and partners who help you store customer data, make sure you ask questions about their security practices. For instance, if you’re looking for a payment provider, make sure it offers things like fraud detection, dispute support, and PCI compliance. Only work with partners like [Square] that put as much value on protecting your customers as you do.
How to Protect Your Small Business Data (Small Business Association)
Cybersecurity for Small Businesses (Federal Communications Commission)
Start with Security: A Guide for Businesses (Federal Trade Commission)