You wouldn’t dream of leaving your office with the doors and windows unlocked, but the digital age presents a new level of responsibility when it comes to protecting your data - and most importantly, that of your customers.
By Kate Morris, founder adorebeauty.com.au
You wouldn’t dream of leaving your office with the doors and windows unlocked, but the digital age presents a new level of responsibility when it comes to protecting your data – and most importantly, that of your customers.
On 22nd February 2018, new legislation came into effect as an amendment to the Privacy Act, requiring businesses with revenue over $3 million to notify any individuals likely to be at risk of serious harm by a data breach. In addition, the Office of the Australian Information Commissioner (OAIC) must also be notified.
This means that unless you fancy the idea of having to tell all your customers that their information has been stolen, it’s time to get serious about cybersecurity – especially if you’re operating an online store. There’s a fairly comprehensive guide to securing personal information on the OAIC website, which I highly recommend you read. I’ve summarised a few salient points here.
Do you really need this information?
It goes without saying that it’s a whole lot easier to safeguard personal information if you’ve never collected or stored it in the first place. Credit card information in particular should never be stored. Even if you need to be able to charge a customer in future, tokenised payment technology can be utilised to remove the need to store payment information.
The human element
Generally the biggest security vulnerability in any business is its staff, whether through error or deliberate intent. Access to personal information should be restricted to only those who need it to do their jobs; and your staff need regular training on how to avoid phishing attacks and scams.
Staff also need to be trained in correct procedures for storing and transmitting personal information. (Hands up if you’ve ever sent a mailing list via email? That’s a no-no.) If staff have access to personal information via their own devices, such as laptops, these devices need to be password-protected and encrypted in case they are lost or stolen.
Two-factor authentication (2FA)
2FA is an excellent way of protecting access to personal information. In addition to a username and password, 2FA will also require a user to enter a verification code sent to their smartphone. This ensures that even if someone leaves a password lying around, it can’t be misused without access to that user’s phone.
Update. Update. Update.
Ensure that all your software is kept up to date religiously.This goes especially for your web platform. Even if you rely on third-party agencies or web developers, in the end it’s your responsibility, so you need to make sure they’re applying the latest patches and updates every month. Failure to do so can leave newly-discovered vulnerabilities exposed.
Great. You should be! Fostering a culture of security awareness is one of the OAIC’s key recommendations in fulfilling your obligations to protect the privacy of your customers. Inform yourself, get external help if you need it, but don’t leave it to chance.