How Can You Protect Against Future Epsilon-Like Breaches?

Written by Renee Chronister, CEO

Everywhere you turn you hear of more victims affected by the Epsilon breach. Best Buy, Target, 1-800-FLOWERS and the list continues to grow. While Epsilon claims only names and email addresses were accessed, not financial information or anything profoundly compromising, you still can be victimized with the data that was leaked.

How? Well, names and email addresses offer hackers a nucleus from which to launch targeted phishing attacks. Those with malicious intent now have names and active email addresses to create a clever phishing attack by copying a legitimate U.S. Bank email and sending it to a U.S. Bank customer, addressed by their name, together with requests for account information. And guaranteed, some will be fooled and give their sensitive data over to hackers.

So how can you protect even the simplest of information? Well, when people ask me about security I have one answer: SECURITY. Let me break it down for you. When it comes to SECURITY: U R IT.

By taking the bull by the horns, you can mitigate risk on your end, understanding that after a certain point it truly is out of your hands. However, you can make an impact on the security of your data by conducting due diligence when it comes to your email marketing firm, insurance provider or other vendor with whom you do business. Here’s how:

Research: You can do this in a number of ways but let’s start with what’s at your fingertips: Google. Find as much info (good and bad) about the vendor to assist you in making an educated decision. Have they been victim of a breach before? In this case, did you even know you were doing business with Epsilon? Apparently, they have a parent company that many were under the impression of doing business with called Allied Data Systems. Look at their past track record. Have they been subject to a security breach before or careless use of customer data? If so, how did they respond?

Check Company Website: Look for press releases and statements made regarding “mishaps.” Epsilon’s parent company, Allied Data Systems, has a statement on their website regarding the recent data breach and lends insight into how they are handling it as well. This tidbit can be just as important as the breach itself.

Complaints, Judgments and Docket Reports: These are other means by which you can identify security breaches. They also spell out what is expected of the vendor going forward.

Third-Party Vendors: Do they use a third-party to protect their data? If so, what due diligence did they perform on the vendor? Who is the vendor? What are the policies and procedures in handling, transmitting and storing such data? You have a right to know. What kinds of security polices does this vendor have in place and what does that mean for your information? And, are there any “dings” against the third-party vendor regarding information security?

Security Policies: What are your vendor’s internal and external security policies and procedures? Do they have any? If so what are they? If not, why not? How often are these updated? (This applies to third-party vendors as well.)

Employees: How about those handling your info – background checks conducted on employees? How about credit checks and drug testing? What are your vendor’s internal controls with regards to employees accessing your data and so forth? This too applies to third-parties.

Compliance Record: While compliance does not equal security (did you catch that?) it does at least reflect low-level security measures to protect your information. Find out which industry and federal compliance requirements your vendor is required to meet and inquire out their compliance track record. Ask if they do more in terms of security than just meet the minimum requirements. (Again, this can pertain to third-parties.)

Ask Around: Talk to people about their email marketing firms, insurance providers or other vendors you are considering doing business with. Word-of-mouth is one of the fastest ways to get answers, opinions and facts. Don’t be shy, ask.

So, while we can’t control every aspect of our information’s security, we can mitigate the risk with the things that are within our control as mentioned above. You just may sleep better at night knowing you did what you could. As for vendors, we can only hope they start to follow your lead with SECURITY: U R IT.