By now we’ve all heard the story of how 143 million Americans (roughly half the US population) had their personal data compromised due to a breach at Equifax. It’s reasonable to be concerned about the security of your personal accounts. But what about your customers’ sensitive financial data?
With so many people affected, consumers are being inundated with admonitions to update their passwords, freeze their credit reports, and reconsider to whom they entrust their data.
Whether you sell Point of Sale (POS) software or use it to run your business, it’s time to face facts. After all, if one of the largest custodians of consumer identity data can be hacked, POS software companies and the companies that use that software should assume the worst about their own vulnerability.
Fact 1: This breach was avoidable.
Equifax failed to implement a patch provided by a software vendor/partner for a known vulnerability discovered months prior to being exploited at Equifax.
Key Takeaway / Action Item
Remain vigilant and create mechanisms that ensure your software and any plugins, extensions, or API-connected applications are updated as soon as possible.
Automate where feasible. There are some risks to automated updates, including the possibility that an update could cause a system failure. Only you can determine if automation is right for your company, but it should at least be considered.
Many of North America’s largest POS software brands trust Constellation Payments as their gateway specifically because integration with our PCI Level 1 compliant gateway reduces PCI scope for them and their users.
Fact 2: Equifax fumbled the ball, fumbled the recovery of the ball, and fumbled the recovery of the fumbled recovery of the ball.
Equifax discovered the breach on July 29th, yet didn’t announce it until September 7th. They sent affected customers to a website that looked like a phishing site, and the mechanism for determining whether someone was a victim of the hack was easily spoofed by several security pros who entered dummy data; only to be told their dummy identities were likely compromised.
Finally, Equifax made the egregious decision to try to sell credit monitoring to those that received the bad news, making Equifax seem at best, callous and uncaring, and at worst, opportunistic and sleazy.
Key Takeaway / Action Item
Have a breach plan before you have a breach. Who would you call if this happened tomorrow? What would be the best, most effective measures to take upon learning that your company’s data was now available to anyone willing to purchase it on the dark web? Are there PR firms, Law Firms and Cybersecurity Firms you should have on speed dial?
One thing’s for certain the old saying that “a failure to plan is a plan to fail” never felt more fitting than it does in the case of Equifax.
Recommended reading: Check out: Your Cyber Incident Response Exercise. The article takes you through key questions and scenarios that should be discussed and documented with your team before a breach occurs. This preparation is invaluable. Having a plan in place will help you and your team properly respond to a breach in an organized manner, as opposed to being backed against the wall in a “what should I do …”, frenzied state during an actual breach.
Fact 3: Equifax put revenues ahead of security.
Financial disclosure documents show Equifax’s annual overhead had not increased in several years, while profits had increased steadily. It’s been speculated that Equifax may have been slow to fix the patch, because it would be very expensive, and might influence earnings. It seems obvious that a company with as much to protect as Equifax should be increasing its security budget steadily year after year.
Key Takeaway / Action Item
Dedicate a budget to cybersecurity, choose partners who have done the heavy lifting for you, review the budget and your plan at least once a year, and never settle for the minimum protections when it comes to sensitive customer data.
Bottom Line – Prevent, Prepare and Invest
Ensuring the security of your customers’ sensitive data should always be a top priority. Your customers trust you with their payment information. You should do whatever it takes to maintain that trust. Take the time to put proper security mechanisms in place.
Should a breach occur, know how to respond. A cyber incident response plan that can be used throughout your organization is something all businesses should have.
Lastly, never cut corners on data protection just to save some money. In the long run, it could cost you the business you’ve worked so hard to build.
Rick Ellis is a Business Development Executive with over 20 years of experience running a successful membership-based company built around a lucrative recurring revenue business model. As an Executive for Constellation Payments, Rick enjoys working through complex business models, and leveraging proven payment processing strategies for maximum effect.
Monitor image courtesy of Pixabay.com.
Get Our Best Advice Sent to Your Inbox!
Subscribe to our blog, How Payments Are Done, to receive continual guidance on important payment topics.
Enter your email address into the Subscribe box above and we’ll send you our latest posts as soon as they’re published!