Keeping data secure is a challenge for businesses large and small. The recent cyber security attack on TalkTalk just go to show the scale of the challenge. The attack has resulted in an estimated £35 million costs to the company, and there is the associated bad PR too.
Over 157,000 customer accounts were accessed. An estimated 15,600 bank account details were taken.
So how could TalkTalk have prevented this attack? Well, with thorough and regular testing of software, the risks can be minimised. The challenge is that the external testers are learning about the vulnerabilities to look for just after hackers first expose each weakness.
So how does a small business protect itself? Most small businesses won’t have an in house IT team, or be able to afford external pen-testers each time their network or systems are upgraded or improved. The small business owner does have some measures they can take.
First of all they can manage data. Reduce the amount of data (records and fields or rows) that is exposed via externally facing systems. Internal systems should contain the more valuable risky data. External systems should expose the minimum possible, rather than be a duplicate of all the data. That’s just lazy.
Secondly, don’t store bank details. Use a third-party to manage this. For example, use PayPal. That way you don’t need to comply with PCI DSS. Pass this responsibility onto PayPal and pay a small commission for doing so. You can even create one-off invoices on PayPal for clients to pay. That way they don’t need your bank details either – lowering your risk from them!
Thirdly, delete old data. When projects or products are complete, delete data. Return data and paper files to suppliers and clients. Get them to sign for these to show it’s their responsibility from then on. Check all you NDAs.
Thin out data and lower your cyber risk.