As an online business owner, you process consumer financial information and personal data regularly. From credit card numbers to Social Security numbers to home addresses and phone numbers, this data flows through your company regularly and makes a very appealing target for hackers and data thieves.
Some attackers want to compromise that information so they can use it themselves. Others want to sell the identities of your customers on the black market for a profit.
Regardless, it is your responsibility to safeguard that information so that it does not fall into the wrong hands. How do you do that? We have 10 tips to help make it simpler and easier.
Table of Contents
Limit the Types of Information You Collect
Our first tip should be pretty common sense, but you would be surprised at how many owners of online businesses fail to heed it. When it comes to consumer financial information and personal data, limit what you collect. The information collected should be information necessary to process the transaction and nothing more.
Any additional information collected should be anonymous. For instance, unless you are creating an email marketing list, then you probably don’t need a consumer’s name and email address. Limit the types of sensitive information you collect and you limit your own liability, as well.
Don’t Store Consumer Financial Information
Here’s a tip that should be a no-brainer. Don’t store consumer financial information anywhere, at any time. For instance, since you’re running an online business, your customers will likely pay with a credit card or debit card.
That information should be transitory – it should be entered once and then it should be securely destroyed. If you do not store consumer financial information, then data thieves cannot steal it, even if they managed to get into your system.
Store It for as Short a Time as Possible
We understand that there are times when you’ll need to store at least some portion of consumer financial information or personal data. Do so for as short a time as possible. Once the need for that information is done, dispose of it. If you collect personal information about your customers for marketing purposes, make sure to anonymize it, as well.
Avoid Personal Data When Not Necessary
It sounds simple enough, if you can avoid getting and saving the data, then so much the better. Although some companies prefer to have as little information as practically possible about their customers so they can still do their job, most companies will attempt to get as much data as possible.
Avoid Using Consumer Financial Information or Personal Data When Not Necessary
You would think that online business owners would realize the need to limit the use of consumer financial information and personal data to scenarios that are strictly necessary. Sadly, that is not always the case. The FTC has actually pursued several cases where businesses used consumer information within in-house training programs without any anonymization and without deleting the information afterward.
This gave company employees access to that data and also put it within reach of attackers, even though fictitious information would have worked just as well. There was no actual need for real consumer information to be used at all.
Although GDPR was rolled out in 2018, many companies are still slow to follow the new rules, and few companies will even have a policy page even though it is a requirement for companies in the EU.
Restrict Access to Data
As you’ll see, most of our list is made up of simple, common sense tips, and this one is no different. Online business owners should limit access to consumer financial information and personal data, as well as all other information.
By limiting access to sensitive information, you automatically improve security and safety while enhancing accountability. After all, the fewer people who have access to data, the fewer chances attackers have of compromising login credentials. If a team member has no legitimate need to access that data to perform their job duties, then they should not have access to it.
Are you running a business with employees that have access to data? Read our security tips for employees.
Lock Down Administrative Access
How many people have administrative access to your website’s database? How many people are allowed to make system-wide changes? Lockdown administrative access and limit it to those who have a proven, definite need for that type of access.
Also, insist on accountability when it comes to account passwords and login credentials. The fewer people with administrative access, the safer your site will be as a whole.
Require Proper Password Hygiene and Strength
Everyone with access to your website should be required to practice good password hygiene and should be aware of best practices when it comes to password strength. Passwords should be changed regularly, and they should be complex to ensure strength. There is much much more to having a secure password strategy and teaching your employees is a constant process.
Protect Against Front and Backdoor Attacks
Brute force attacks and security vulnerability exploits are the two primary concerns for online business owners. You can limit your risk by using two-factor authentication, limiting login attempts, blocking IP addresses for those who attempt to log in too many times, and by regularly updating your software to address backdoor vulnerabilities.
Read more how we protect your website with the cloud firewall.
Encryption at All Stages
Encryption is not just good sense – it’s a vital consideration. However, you need to make sure that consumer financial information and personal data is encrypted not just on your website, but when transmitted to other areas of your business, as well.
Finally, consider network segmentation. Just because a workstation is part of your business, that does not necessarily mean it needs to be connected to every other computer you own. Segmentation creates physical firewalls – breaks in network connectivity – that help ensures that if an attacker finds their way inside one part, they cannot make an immediate leap to another part.
Splitting up your internal network helps protect against intrusions into sensitive data from distant parts of the network.
[bctt tweet=”Protecting consumer financial information and personal data is the responsibility of every online business owner.” username=”wpsecurityninja”]
While there is no way to eliminate the chance of an attack being successful, the simple, effective tips we have discussed here do a lot to mitigate your risk and make you a less attractive target to attackers.
With a common sense approach and a sense of accountability, you can help provide your customers with the protection and peace of mind they deserve.