Cybersecurity Awareness: What Your Customers Expect

Updated September 2023

The number of cyber-attacks and data breaches is rising, yet more than half of all companies in the U.S. don’t have a cybersecurity risk plan in place (source: IBM). That’s why for Cybersecurity Awareness month, we’re tackling one of the most important topics on the subject: keeping your customers’ data safe.

What kind of customer data makes you vulnerable to cyber-attacks?

Every company that uses or stores customer data is vulnerable to a cyber-attack. That said, some industries are even more susceptible because they store highly sensitive customer data, including:

• Personal identifying information (according to IBM research, 44% of data breaches include PII)
• Payment information
• Financial information 
• Health information 
• Trade Secrets

In addition, companies in every industry store proprietary customer information that makes them vulnerable. For example, say you’re a small financial planning practice, and your client list is hacked. Not only would this give your competitors insight into your customer base, but it also makes you a target for malicious actors who could take that information to create a phishing or spear phishing campaign. 

One trend that has become the norm is extortion, where cyber criminals get your customers’ data and threaten to release it publicly if you don’t pay a ransom. 

Is securing customer data primarily an issue for bigger companies?

According to a study by Positive Technologies, cybercriminals can penetrate 93% of company networks, making companies of every size a potential target.

At SUCCESS, we’ve worked with customers and prospects that span the continuum – from mid-sized companies to small businesses with just a handful of employees. They’ve all faced cybersecurity challenges – with small businesses particularly vulnerable (and the target of 43% of cyberattacks, according to Accenture).

What obligations do companies have to protect their customers’ data against cyber-attacks? 

When customers give you their data in exchange for a product or service, they expect you to protect it. And to ensure companies are held to a standard, there is a range of compliance regulations that vary by industry. By now, most of us are familiar with the major data compliance regulations like HIPAA for health information, Sarbanes-Oxley Act for the financial sector, and PCI DSS for the payment card industry. But new compliance regulations and best practices are emerging all the time.

For example, we’re currently working with manufacturing companies in the Defense Industrial Base segment. Because they have government contracts, they’re bound by the new compliance requirements from Cybersecurity and Infrastructure Security Agency (CISA). These requirements are more prescriptive about the consumer data protection steps companies must take, including disclosing a breach within 72 hours. 

Another trend we’re seeing is tertiary companies being asked to meet certain customer data standards. In this example, a construction company might require its vendor partners, like architects and engineers, and trade partners, like HVAC and electricians, to meet specific cybersecurity standards before joining the project. In other words, they’re holding anyone working on the job site to a data security standard. This approach provides your customers with another layer of protection.

What steps should you take to protect your customers’ data?

The cybersecurity field is a complex and layered challenge for many small- to mid-sized companies. Here are three solid strategies to get yourself thinking more critically about your risks, customer data, and plans to protect it. 

Data inventory/mapping

One of the first steps we recommend is to take a comprehensive inventory of your company’s data. What do you store? How is it used? Who has access to it? How does it flow across programs and applications? Designating a solution is easier and more effective when you understand what data you’re working on. This works best as a companywide effort, so get a cross-functional team involved and update your findings regularly.

Tabletop exercise

Related to your data inventory, a tabletop exercise helps you identify what data you use and store, how your company would operate if that information was compromised and unavailable, how you plan to protect the data, and any steps you’d need to follow to recover lost data. 

Security framework

Because there are multiple layers to cybersecurity, it’s essential to follow a security framework to guide your efforts and prioritize your actions. The framework we recommend is CIS Controls, which the Center for Internet Security developed. It’s a set of safeguards to mitigate the most prevalent cyber-attacks. CIS Controls also map directly to other legal, regulatory, and policy frameworks such as HIPAA and PCI. They update their framework regularly to prepare you for new threats. 

Award-winning cybersecurity services for Minnesota companies

For 30 years, SUCCESS Computer Consulting has provided managed security services to mid-sized companies based in Minnesota. We’re known for helping companies contain their risk with award-winning cybersecurity guidance. 

Learn more about how we can help you protect your customers’ data. Contact us today.