Breaches are unavoidable, but a quick transparent response can save trust

Register now

More than 13 billion data records have been lost, exposed or stolen since 2013, according to the Breach Level Index. So, it's not a matter of if a breach will occur, but when.

No company is immune to cyberattacks, but how a company responds will make the difference in strengthening or losing the trust of customers and employees. Businesses need to prove they have taken all possible actions to inform and mitigate the damage during an event.

Nordstrom, a large retailer that recently suffered a breach in which a variety of personal information was exposed including employee Social Security numbers, date of birth and checking account numbers, showed how a fast reaction can help mitigate the negative effects. After the data exposure by a third party and the retailer was informed, Co-President Blake Nordstrom let employees know right away. Nordstrom’s timely response to this incident is a reference of how companies can provide transparency and protect the brand after a breach.
How a company handles a breach, including how fast it informs consumers and employees, will make the difference between securing brand reputation or getting the cold shoulder from consumers. The Ping Identity 2018 Consumer Survey revealed that users would stop engaging with a brand after a breach. A cyber event can also push consumers to go to a retailer’s competitors, which, during the holidays, could prove disastrous.

In preparation for the inevitable, online companies can devalue personal information so if a breach does occur, the data obtained by cyberattackers is not enough to take over an account. Companies should reconsider what data they really need from customers and collect the minimum for a purchase. Social Security numbers for example, are often not a necessity.

The next step is securing all the stored data and restricting access to only those who need it. Encrypting all data — even data at rest or inactive information — could go a long way towards thwarting what criminals can actually walk away with. Not storing personal or PCI data at all is another way to reduce risk.

Limiting the amount of data requested and collected can seem confining when identifying returning customers and providing faster service. However, the mix of behavioral biometrics technologies identifies customers online by how they behave, without requiring additional personally identifiable information (PII), and helps build a lasting relationship. With these cutting-edge technologies, companies can virtually greet customers like old friends and provide a seamless shopping experience.

With passive biometrics and behavioral analytics retailers are devaluing the PII that cybercriminals would otherwise use to commit account takeover attacks, application fraud or other types of scams. Once static data like credentials, passwords and credit card numbers are found to be useless without the behavioral piece, cybercriminals don’t have the monetary incentive to steal credentials in the first place.

Passive biometrics monitors different types of patterns, like the speed with which users type or what fingers they use, how they hold their device, how fast they go from page to page within the environment, along with hundreds of other identifiers. Companies utilizing these tools can cross-reference the behaviors with known user data, allowing them to accurately determine whether a user is legitimate or not. It is a key protector in the fight against fraud as cybercriminals cannot imitate these distinct behaviors that are inherently unique to each individual.

When passive biometrics is combined with other security layers such as behavioral analytics and device intelligence, they create an accurate and anonymized profile of the user, building trust between customers and businesses as well as between employers and employees. This invisible handshake also opens the door to better services to loyal customers.

For reprint and licensing requests for this article, click here.
Data breaches Retailers Security risk ISO and agent