Ten Steps to Save Your Business from a Data Breach


February 2019


In our January edition of the Merchant Edge newsletter, we discussed the importance of security with topics on PCI compliance, data breaches, and how to secure your POS system. We continue our “Security Matters” series with a deeper look at cyber security and how to make sure your business is properly prepared to fend off an attack.

The first question you should ask in order to determine whether your business is at risk of a data breach is whether your company maintains sensitive data related to customer credit or debit card information. Additionally, you should consider whether your business maintains financial information, company records, operational reports, budgets, or other data related to business associates or suppliers.

According to Accenture, “The most expensive component of a cyber-attack is information loss, which represents 43 percent of costs.” It is not uncommon for businesses to maintain at least some sensitive data. If your firm is not taking steps to protect such information, you could be at risk.

So, what can you do to decrease such a risk and make sure that your business is prepared for the potential of such a breach? Start with these ten steps.

The first and most important step you can take is to plan for a breach before it occurs. When a breach takes place, businesses typically need to ensure they make the most of the time available to them to comply with notice obligations, complete the necessary forensic analysis, and mitigate the exposure that has taken place. By ensuring that you have a formal incident response plan in place and that you are familiar with it, your company can help to significantly reduce the costs related to a data breach. Given the high costs and tight timeline related to a data breach, such a response plan should include a list of responsibilities that identifies the individuals responsible for each specific task. In addition, the plan should include the necessary training required.

Eliminating Blind Spots
In some of the most widely publicized data breaches, hackers were able to gain access to systems using system vulnerabilities and stolen credentials. While there is no getting around the fact that your business relies on the support of your business partners and vendors, conducting due diligence can help to reduce the risk of a breach resulting from the inferior security of a third party.

Know Your Points of Contact
Retailer breaches often result from criminal or malicious attacks on the retailer's system. As a result, when such a breach occurs, law enforcement will naturally be involved. Taking the time to identify points of contact within both state and federal law enforcement in advance can help expedite the investigation process in the event that your company should become the victim of a data breach.

Liability Coverage
Costs related to breaches, especially from a large breach, can often exceed the amount of insurance coverage that a business has. For this reason, it is vital that you review and understand your coverage as it relates to your network security. Find out specifically whether your coverage is adequate and whether there are any limitations, including notice requirements. You may also need to consider whether your business should purchase additional cyber liability insurance.

Vetting Third Parties
Most businesses do perform due diligence prior to transmitting sensitive data to business partners and vendors. Yet, at the same time, it is important to consider whether you are doing enough to vet those partners. Given the amount of risk associated with a data breach, taking a few extra steps to vet the partners with whom you do business can be well worth the effort. This will be increasingly important as more companies opt to use cloud payment services.

Instituting a Dedicated Response Team
Putting a dedicated response team in place can help give your business peace of mind in the event that the worst should happen. Ideally, such a team should be cross-functional in nature and include personnel from a variety of departments.

Engage Outside Vendors
The reality is that you may not be able to protect your business from a data breach on your own and may need outside help. It is expected that breaches will be handled within a timely manner. By establishing partnerships with external vendors, you can gain the specific experience you need to help prevent attacks and expedite the investigation and notification process if a breach does occur.

Understanding Legal Requirements
Staying on top of what federal and state agencies require of your company in the event of a breach is critical. At a minimum, your business should have a process in place that will help you identify and monitor state and federal requirements, including disclosures. If your business does not already have such a process in place, keep in mind that you could be subject to fines if you do not follow certain legal requirements. By making certain that you know how to comply before a breach, you can ensure that your business is prepared.

Update your POS System
Is your point-of-sale system up to date? As an increasing number of markets make the transition toward EMV, a technical standard that ensures that chip-based payment terminals and cards are compatible, it has become necessary to ensure your POS system is upgraded. The use of smart chips makes it possible to take advantage of more advanced cardholder verification, which can protect against fraud in EMV transactions, including the use of stolen cards. Regardless of the size of your business, this is a step that you simply cannot afford not to take.

Tokenization and Encryption
The layering of tokenization and encryption along with POS and EMV-compatible systems make it possible for merchants to reduce security weaknesses while also addressing relevant authorization vulnerabilities. Keep in mind that there are two areas in the transaction process in which data could be vulnerable to a data breach: the preauthorization and post-authorization points. Tokenization and encryption help protect cardholder data once consumer and payment data are validated. Additionally, tokenized and encrypted data are of absolutely no value to a hacker, as they are simply meaningless strings of characters that cannot be used.

Data breach preparedness can be complex. If your business is not prepared, the result of a data breach could be catastrophic. Small Business Trends states, “43 percent of cyber-attacks are aimed at small businesses.” Taking the time now to prepare for a data breach and understanding best practice solutions can help you reduce the risk of such a breach and ensure you are prepared in the event that one does occur.