The Economics of Security: It pays to plan ahead

Stephen Kennedy - Lead Web Developer

What a month October 2018 was: Facebook had another breach; Google was caught not disclosing their own, and in reaction shuts down the consumer service for Google+ (and it's 2 users). And hey, turns out there's a scandal brewing about these tiny "spy chips" found in Chinese manufactured servers used by US tech companies. All of these events are doing their best to unearth a question that has probably never been adequately answered by these tech giants (though it is unfair to say they haven’t tried), much less by most small business owners.

And that question is, "What do our security policies say about our business ethics?"

Of course, that also can raise the more concerning question, "What are our security policies?"

One man pointing out the GDPR logo to a second man.GDPR was big news to a lot of businesses, but now that it's here it isn't hard to see how it, and proposed laws like it, will effect your business.

And for the small business owner, it isn't hard just to say "I don't know" and move on. Either you assume that a security breach is something that happens to other people, or you believe that you are too small for the consequences of that breech to harm you.

Regardless of how you feel about your customers personally, for a customer to spend money, they need to be comfortable. 2018 is a tough year for technology companies, and we have a lot of questions we need to have answers for that no one was asking before. Companies without those answers will risk losing consumer confidence. Bottom line, that means that even if your prices are cheaper, you can and will lose sales to someone else who makes them more comfortable, and small markets often have long memories. A mistake now could potentially haunt your marketing for years.

It certainly doesn't help that all of this is work that needs to be put in long before any benefits can be seen, especially since security is such a dynamic and tumultuous field. The average business owner spends more time than they'd like to admit running payroll to payroll, rent to rent, and there just never seems to be the time or the money to spend on something that doesn't immediately affect the profits coming in.

A person holding a phone with a shopping cart icon and their credit card side by side.eCommerce is one of the biggest culprits, but it is far from the only one.

Everything I am discussing here applies most fully to anyone dealing directly with Credit/Debit Card Data via eCommerce, a full POS system with credit card processing, and even just a credit card machine, but in 2018 going fast into 2019 even customer addresses, phone numbers, or emails can be the last key in a malicious attempt to steal your customer's identity. Personal data of all kinds is valuable and important to protect on the behalf of your customers.

Not only is it an ethical imperative to protect this data as best as you can, but with many laws created as a direct response to large missteps like Facebook, Google, and Equifax, there is a financial imperative to back those ethics up. If you take the time to add all the numbers up, the continued viability of your business might depend on having a set of answers to the following two questions:

  1. "How do we protect Customer Data?"
  2. "What do we do if we suspect a breach?"

And these are not inherently difficult questions to ask or answer. Businesses have been answering them for centuries. What is the best way to know if one of your cashiers is fudging with your tills? Limit your risk and keep detailed records. For cashiers, this could look like counting out a new till for each cashier as they come on shift, and keeping daily reports of what is in those tills when your cashiers leave. And that's a solution that has worked well for many profitable retail and service chains. Having enough data to see problems when they occur is vital.

A thief climbing out of a laptop, shining a small flashlight on two oversized credit cards.Don't let your business be the last step in ruining someone's life.

What is the best way to deal with it when you discover a cashier is stealing, either from your business, or the customers? Fire the cashier, and report their actions to law enforcement or customers as necessary. Close the vulnerability and disclose the problem as required.

It's really that simple. Any security policy for any application, electronic or otherwise, can be broken down into those four steps:

  1. Limit Risk
  2. Keep detailed records
  3. Close Vulnerabilities as they are discovered
  4. Disclose incidents as required

As a company intent on creating solutions for small businesses, Armor Techs has a few tools that can be used to solve these problems, and no shortage of advice we can give for problems that can't be addressed by those tools. For your website, we can offer 256-bit hub and spoke encryption, per user activity logging, daily file-change scans and notifications, shell prevention systems, secure weekly and monthly backups, brute force protection, and a dedicated and passionate staff. For your physical business, we offer ip security camera installation and DVR feed recording, secure data backups, and security systems. We're here to help you navigate your business through this turning point in consumer privacy, and to ensure your customers are comfortable giving their information, and business, to you for years to come.

In the end, it doesn't matter if you answer these questions yourself, or have a third party like Armor come in and answer them for you, but these are things that need to be addressed if your business is going to continue. It is an ethical imperative, a financial incentive, and an all around good idea, even if there is no immediate boon to your bottom line. But that's our opinion. Have you been watching these large scale security breaches with the same attention we have? What are your thoughts on how these change the way businesses should approach their customer data? Let us know below.