Over the past few months there have been a series of well-planned phishing attacks on our industry. The attacks have focused on assorted corners of our world: multiple email service providers (ESPs), a delivery assurance company, blue-chip brands, even a leading security/risk prevention company. The fact of the matter is that all businesses that collect, store, analyze, or send information are vulnerable.

The first and obvious concern about the breaches is how much data was compromised and who now has access to it? Ultimately, this question will be answered and the respective damage control will ensue.

The bigger issue is well-beyond the unauthorized release of a large number of email addresses. If consumers don't believe they can trust you with their data, they won't give it to you. The timing of these breaches in combination with a global call for better legislation or self-regulation about data privacy and data security raises the need for us to take a hard look at how we keep our clients' and their customers' personal and sometimes sensitive data secure.

We all know that it is impossible to be completely impenetrable. There are, however, many simple things that can be done to mitigate the risk of being comprised. Here are a few pointers to help protect your data:

    * Perform an internal or independent third-party audit to identify where you are vulnerable
    * Audit user rights for employees and clients
    * Don't send usernames or password combinations via email
    * Don't store passwords in publically accessible areas: WIKIs, sticky-notes, or plain text files
    * Use encryption whenever transferring data over a public network
    * Make security awareness a critical part of your employee education program
    * Adopt a consumer education policy that includes a simplified privacy policy
    * Adhere to information security standards such as ISO 27001

You should also be thinking about how you would actually handle a breach. Do you have a plan in place to handle events like this? Here are a few suggestions on how to be prepared to deal with a crisis.

    * Establish a cross-functional security team that includes key members of the company
    * Define specific roles for management, IT, and client services
    * Have the ability to analyze and identify the cause of the breach
    * Contain the problem immediately
    * Have a communication plan for employees and customers
    * Reach out to the appropriate authorities (e.g., police, FBI)

We don't need new laws to tell us how to do this, just a little common sense. An ounce of prevention and preparedness will go a long way toward building trust with consumers and protecting the emerging online channel we rely on to do business.

Source: www.clickz.com | Rick Buck