PCI Pal’s CISO, Geoff Forsyth, features on Retail Sector. Read the full feature here.
Data security may have once been the sole mandate of the IT professional but that is no longer the case. Data breaches have become a fact of life for businesses, occurring numerous times each year worldwide. As a result, the public is now more aware than ever before about the safety of their personal data and its value.
A recent survey conducted to gauge the public’s changing attitudes to data security, found that the safety of personal data is now a major factor for people when making many decisions, particularly when deciding where to spend their money.
40% of respondents to the survey stated that they considered the retail industry to be among the least secure. Local stores stood out when it comes to trust, with 30% suggesting they care more about their reputation than other types of national retailers. But what are they doing right and how can other retailers work to improve their reputation and customers’ trust?
The survey also found that 41% of Britons would cease spending with a company forever if their personal data was hacked, highlighting the potential damage to both bottom line and reputation that can occur from just one data breach.
So, how can retailers build their reputation among a wary public and provide the reassurance that consumers will value?
Remember that it’s a marathon not a sprint
It’s good to remember that developing and maintaining good data security procedures and policies is a continuously evolving task. There is no silver bullet that will solve all of your issues. Ensuring that you comply with regulations should be a paramount concern. PCI DSS compliance is a particularly good place from where to begin your journey, if you’re starting out from scratch, as it will help you to develop good habits. This will have the positive side effect of galvanising you against the demands of other key regulatory issues, such as the GDPR.
The risks involved with non-compliance should be known by all members of staff, particularly management, who can often feel insulated from what they consider to be minutiae. Risks should be clearly stated and good habits should be nurtured from the ground up, rather than being isolated to IT departments and personnel.
If you don’t have adequate talent to manage your compliance, reach out to experts; it will be money well spent.
Proper planning prevents poor performance
Your company should have a plan in place for what to do in the event of a breach. Knowing who is doing what and how you are going to react will save precious time and help to limit damage done.
After a breach, trying to formulate a plan once the damage has been done will do a company no good at all. Also, be transparent about the planning that has been done in advance and about any security partners you may have, this will show that you take the issue seriously and are poised to deal with problems as they arise, rather than sitting on your hands.
This is a key point when it comes to building (or re-building) and maintaining trust. Make data security policies prominent on company intranets, print them out and stick them to the front of journals and folders, to make them front of mind for staff.
Externally, demonstrate the measures you have in place to aid data and payment security, for example how you comply with the PCI DSS, to offer greater assurances to customers.
Honesty should be the word on everyone’s lips as they plan ahead of a breach and deal with one if it happens. The temptation to try and keep things quiet and limit knowledge of the breach should be resisted, because all that will do is grow more distrust and suspicion, further damaging reputation.
Take ownership of any problems promptly, communicate with your customers and take responsibility for any failings on your part.
You can have the most complete data-security policies in place and still fall victim to a breach or hack, but how you deal with it will set you apart.