The Target hack that compromised about 40 million credit and debit cards swiped over Thanksgiving weekend is practically all anyone can talk about right now. How could such a juggernaut be vulnerable to hackers?
On Thursday, the Minneapolis company said customers who swiped their cards at its retail stores between November 27 and December 15 may have been exposed to criminals. The chain said it immediately reported the breach and partnered with a forensics firm to look into the issue. But besides directing customers to a hotline where they can report fraud, it felt like the company wasn't doing much to minimize the damage.
Of course, Target isn't the first big company to fall prey to hackers. Last January for example, Zappos experienced its own data breach, in which customers' passwords and credit card numbers were exposed, and in April 2011, Sony's PlayStation network was hacked.
Whether you're a giant chain with millions of card-swiping customers, or a mom-and-pop shop trying to protect your back-end operations, here are some tips from Kroll, a risk management firm's website, for avoiding a similar PR nightmare from senior vice president Brian Lapidus.
Get a game plan.
Above all, you want a comprehensive preparedness plan so your business can continue to operate if a breach occurs. All your managers should know the plan, and roles should be set regarding who reviews the plan's policies and procedures.
Hire the pros.
Only third-party security professionals can offer a neutral, objective assessment of your level of risk and what's at stake, writes Lapidus.
Be mindful of what information you take.
If you don't need the information, don't take it, Lapidus writes. The idea is to streamline your data storage systems and to purge the data once the need for it has expired. By the same token, only grant employees access to sensitive data on an "as needed" basis, and keep records of who has access.
Watch your back.
Like a lot of crimes, security breaches often come from within. In some cases, the employee may be well-meaning but misguided. In others, he or she may be after your money. To combat these issues, offer better employee security training, evaluate the way people log in remotely, and scrutinize the access former employees have to company data. On- and off-site data storage practices may also be worth looking into. To test your vulnerability, you may try simulating attacks using security awareness software.