How to Keep Your Firm from Becoming the Next Equifax
Ah, Equifax. If there’s one brand you don’t want to be right now, it’s probably that one. Not only is it suffering plummeting stock value and the ire of millions of consumers (143 million of them, to be exact) but the company also faces numerous lawsuits, an investigation by Congress and a very expensive cleanup of the mess they’re in following a massive data breach.
It’s a worst-case scenario that every business, large and small, hopes fervently to avoid. Hope is a fine thing to hold and cherish, but it’s not an effective strategy for protecting your firm from disaster. Instead of relying on hope, be diligent in three critical areas.
There are countless technology-based methods of protecting sensitive data, and while you don’t have to use all of them (nor could you), you should certainly employ a number of them in your firm. Some of the most basic technical security measures that all firms should consider include:
- High-quality antivirus software
- Firewalls to limit network traffic and outgoing data
- Password protocols that require complex, unique passwords for all users
- Data encryption
- Password-protected wireless networks
- Password protection, data encryption and remote wipe capacity for mobile devices
Data security takes more than technology. It’s often human behavior that provides the opening for hackers or leads to inadvertent data exposure, so making sure everyone follows best practices is an important key to keeping sensitive data private. This is another very broad area, but all firms should prioritize basics like:
- Training all staff on cyber security policies and monitoring for compliance
- Adhering to password protocols
- Ongoing education to increase awareness of phishing, social engineering, malware and other tactics that can create vulnerabilities
- Limiting access to critical data on a need-to-know basis, and tracking who has access to what
- Establishing designated security point people and ensuring staff consistently bring questions and report potential problems to these individuals
- Changing passwords and removing access for employees who leave the firm
- Establishing and following a disaster plan that includes working with the appropriate authorities
Equifax’s current imbroglio didn’t have to be as bad as it is. It would have been a major problem no matter what the company did, but their poor response has significantly increased the negative consequences to the organization. If your firm does suffer a data breach despite your best efforts, you can minimize the potential fallout by handling it in a way that demonstrates:
- Transparency – don’t stall, don’t hide. Alert clients right away so they can take the necessary actions to protect themselves to the extent possible.
- Accountability – this isn’t the time to point fingers or shift blame. You had the data; you didn’t sufficiently protect it. Take responsibility for what has happened, and offer meaningful solutions that will lessen or eradicate the impact on those affected.
- Integrity – your firm is in trouble, but your first (and public) focus should be on resolving the trouble you’ve caused for clients or others affected by the breach. Don’t try to shirk responsibility or weasel out of consequences as Equifax did with their hidden arbitration clause in the temporary credit monitoring they offered victims.
- Proactivity – what steps will you take to remedy the problem and prevent it from happening again? Most people can forgive an accident even when it creates difficulties for them; they won’t forgive a firm that appears to be slow, disinterested or unsuccessful in taking action to resolve these difficulties.
In an internet age where more and more data is stored in the cloud or other digital repositories, data breaches are an unfortunate but increasingly frequent reality. Protect your firm through strong security measures, but if it happens anyway, you can do much to salvage your reputation through a committed response.