It is 7.30 in the morning when, as a Chief Marketing officer of a big retail store, you get a call from your manager saying there is a problem with the point-of-sale (PoS) software. You probe further and he says there has been an information leak of customers’ data. This is serious stuff, and you suddenly realise you have to leave for office to check out what is going on.
Information leakage, or a data breach (as it is commonly called), is becoming an increasingly common problem in companies. It is a threat to the safety of the customers’ information as well as to the reputation of the organisation. Even something as simple as not storing a cardholder’s data properly after a transaction can cause a breach.
Cyber-criminals have become proficient at hacking into merchants’ point-of-sale systems that capture and forward electronic payment details. Today’s attacks have become quite refined, and offenders have found many areas where data passing through your system is vulnerable.
Targets
What is worrying is that it is the small merchants who are the worst affected by such leaks. According to research, 90 per cent of data breaches affect small merchants, with the industries most impacted being retail (45 per cent), food and beverages (24 per cent), and hospitality (9 per cent). While the financial costs of a breach can be high, even the non-monetary consequences can be quite damaging.
It is unlikely that the breach is discovered at the merchant’s end. Mostly, it is identified by a law enforcement agency or an independent party, such as a bank or a card association.
What follows may be an endless list of actions — a forensic examination to ascertain the breach, hiring an outside examiner to conduct the search (this, in turn, may require the shutdown of your business, at least temporarily), informing customers (probably the most difficult and expensive step- a lot of resources and labour are involved and, in special cases you may also have to provide credit monitoring for affected customers), paying up for the liability for fraud charges, replacing the customers’ cards and even overhauling the PoS system.
Consequences
Of course, there are other non-financial consequences that can be detrimental to your business. The first and foremost is how to deal with the damage to your brand and business reputation. Consumers who use their payment cards at your establishment place a high level of confidence in your business. This breach may end up in their switching to another establishment.
Regardless of the cause of the breach, your company should not even think about claiming to be a “victim” as that would weaken your company’s position , making it look ‘powerless’. Then there is also the bad PR, or bad press, to deal with. There will be unwanted publicity, which has to be handled deftly. Banks may pull back on their privileges extended to you, and this could hit your business hard. And finally your precious time. You will spend endless hours trying to resolve this at the cost of serving your customers and supervising your normal business operations.
Preventive measures
Back to the retail store where you, as CMO, have a tough task cut out for you. Depending on the seriousness of this particular breach, you may take one or more of the following preventive measures to prevent its recurrence:
* Improve data availability and documentation management . Technology can greatly help in this. Software can provide endorsement tools that validate user credentials at every device; authentication functionality that caps an employee access to specific devices, and file destination control to regulate the flow of data. In this case, it is critical to understand at which point the leak happened and install devices there. Also, collect as much customer information as possible, at least for the heavy users, so that you can selectively use these devices for a specific set of customers. This will optimise costs.
* Safeguard the scanning process , a large area where most of the data leakages take place. Safeguard your security by placing filters within scanning applications to restrict document access. These content filters can search for specific words like “confidential” and disable scanning. Access can be allowed upon a specific passcode, or similar device. Again, as a CMO, emphasise what are the customer documents that can be and should not be scanned: for instance, bills, purchase history, consumption reports, brand heath-checks — these are all strategic in nature and if they fall into the hands of competition, it may prove detrimental to your business.
* Have a disaster plan in place . Arrive at a list of steps that include what to do, whom to inform, in case of a data breach. Most importantly, clearly define what constitutes a breach, as you do not want employees disrupting your business frequently, citing this reason. Insist that the store’s staff is trained on the first few steps to be taken when a breach is discovered. For example, pulling out customers’ records, their current contact details, their specific last transactions, and the like. This will save time when you implement the disaster plan.
These are only some ways of dealing with data breaches. In an age where digitisation is becoming more and more mature, organisations have to continuously review and deal with newer methods of handling such breaches. It is not a question of luxury but is a matter of survival.