Consumers and clients are paying more and more attention to companies that are on the forefront of ethical business practices. Increasingly, customers are only willing to give their money to organizations that believe in doing the right thing. If you want to succeed in business, you need to be a company that cares about doing what is right.
Being a decent trusted information custodian pays off in business, serving to support the obligation you have to protect the customers who are keeping you in business.
Protecting Your Customers’ Data Is Basic Decency
Your customers do business with you under the assumption that your organization is being an appropriate steward of their information. They entrust their sensitive data to you every day, expecting you to protect it and to do all the things you should be doing in terms of security and compliance.
That’s why, when a company reports that they’ve been breached, you see a mass exodus of customers. Target lost nearly half their profits in a single quarter after a very public data breach. A guiding assumption was blatantly violated and the company proved itself to be untrustworthy. To customers, it feels like a betrayal. A vendor took their customers for granted and treated them as nothing more than a commodity.
If your company whitewashes its security responsibilities, it’s a pure act of self-interest. But the irony is that it would have been in your company’s self interest to take security seriously. Making your customers your top priority takes care of your company as well as them. Ultimately, protecting your customers’ data is protecting yourself.
If your organization deals with any kind of customer data — whether its names and addresses, medical information, credit card data, or intellectual property — you have an obligation to protect the people who are entrusting their data to you.
It’s simply basic business decency.
How to Get Started
Need to do a better job protecting customer data? Here’s how to get your security and compliance profile in top shape.
Don’t rely on cyber liability insurance
Cyber insurance won’t protect your company. Insurance can’t prevent disaster or protect your data. It can’t ensure that bad things won’t happen to you. And insurance can’t protect your reputation. It can only help reimburse you for financial losses, after the fact.
It also won’t cover your customers. If you get breached, they feel the pain, because it’s their data that’s been compromised and they don’t get any financial reimbursement for it.
Cyber liability insurance is your holy-moly, something unforeseen went horribly awry emergency parachute. It’s your backup plan. Your primary shield of defense is having a good, solid, proactive security program.
Get serious about security
Some organizations do the bare minimum to protect their customers’ sensitive information. Don’t be that company. Do your due diligence and get your hands dirty. Really dig into the trenches. Look under every rock. Deal with everything that’s been swept under the rug and hidden in the closet.
Know the certifications you need
Figure out what standards you need to be compliant with, and any others that would be wise to be compliant with. There may be multiple certifications. Get started on the most prescriptive of the certifications on your list. This is especially important if you’re adding multiple certifications. Starting with the right standard makes it much easier to add secondary ones, saving time and headaches.
Some certifications, like HIPAA, are more directional in nature as they are geared to serve organizations ranging from a single medical practitioner all the way up to a health system. Others, like PCI, are extremely prescriptive and detailed about what you need to do. If you start with a prescriptive standard, it will be a lot easier to map to more directional standards than the other way around.
For example, PCI’s firewall requirements are very detailed. Get those right, and you won’t have to worry about meeting HIPAA’s more flexible requirements. But if you start with HIPAA, you may find that you haven’t met PCI’s standard. You’ll have to completely redo the firewall requirements all over again.
Lean on a compliance consultant
If you’re getting serious about compliance for the first time, you will likely feel lost and overwhelmed. There’s so much to do, and it isn’t clear where to start or what the road ahead looks like. Where are the pitfalls, the storms, and the rough terrain? What equipment do you need, and who needs to be on this journey with you?
Many organizations depend on a compliance consultant to lead them through the certification journey. A consultant acts as a kind of trail guide for your compliance engagement. Like a sherpa, compliance consultants know the terrain like the back of their hand, and they can guide you safely to your destination. They combine expertise with advocacy to prepare you to confidently enter your annual audit — and come out of it unscathed.
Most importantly, the compliance consultant is part of your team, and someone you can trust to have open discussions with about your present security/compliance state.
Total Compliance Tracking has decades of combined experience walking alongside clients to provide compliance consulting services. We’ve seen security and compliance from every angle—as a company that’s applying to be certified, as a consultant, sitting alongside auditors assessing compliance, and doing quality assurance for a large international auditing firm.