By John MacKenna
Energy marketers need to store and move a lot of data in electronic formats to meet today’s customer service expectations and operate their businesses efficiently.
An ever-increasing share of customers are choosing to pay their bills online by credit card. Company websites enable customers to check their account information and execute contracts for budget plans and price protection online. And back office software is making customer data readily available to employees.
The sophisticated use of websites and online applications improves customer service and drives down administration costs, but it also creates risks that companies need to manage. Energy marketers can fall prey to malicious acts by hackers, infiltrators or even disgruntled employees.
When data is stolen, businesses can sustain costly losses or even find themselves unable to stay in business, according to Marci Gagnon, Vice President of Business Development and Operations at Avatas Payment Solutions, in Boston. In a recent interview with Oil & Energy, she cited some alarming statistics about data theft.
• 20 percent of small businesses per year are victimized by cyber crime.
• 81 percent of credit card fraud occurs in businesses with 50 or fewer employees.
• 40 percent of reported breaches are perpetrated by employees.
• Six months after a breach, 60 percent of small-to-medium businesses have failed.
• 68 percent of small-to-medium businesses recover no losses after a breach.
• Two out of three consumers hold merchants responsible for data breaches.
Companies can achieve safe and secure operations in today’s online world by adhering to procedures and policies that protect data and eliminate opportunities for hacking and theft. Gagnon says that managers can think of protecting their data the same way they think about locking their homes before going to bed. “Treat your business like a house, and make sure entry points are locked,” she said. Think of the website as the front door; the business operating software as the back door; customer documentation as the side door; and internal IT and procedures as the windows.
The Front Door: Securing the Website
The company website is a target for hackers because it is publicly available, customers use it to send data, and it can be a point of entry to your back office software.
One essential technique for keeping customer data safe is using the Secure Sockets Layer (SSL) protocol to establish an encrypted link between the customer’s browser and the website. “SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely,” according to the website DigiCert.com. “Normally, data sent between browsers and web servers is sent in plain text – leaving you vulnerable to eavesdropping. If an attacker is able to intercept all data being sent between a browser and a web server they can see and use that information.”
Companies should also maintain their websites on different networks from their internal business networks to keep vital customer data from being exposed. “Keep your public and business networks disconnected,” Gagnon advised. “If your data is out there on public sites, it is much more enticing and tempting for a hacker.”
Companies should also conduct periodic PCI scans of their websites to identify holes that could give hackers access to business data. “We offer a PCI toolkit that helps scan your website,” she added.
The Back Door: Using Secure Business Software
Companies should be selective when choosing their business software. Ask the provider about security and what steps they have taken to harden their products against attack. “Scrutinize your provider, and ask questions. A reputable provider will always be happy to answer your questions, “ Gagnon said. “They understand the importance of security, and they like it when customers ask, because it gives them a chance to explain the steps they have taken.”
Gagnon suggests asking questions like the following.
• Who owns the company?
• What is its background?
• Does the company have any history of data breaches?
• Can the company provide references from within the industry?
• Is its solution, including the payment module, PCI Level 1 certified?
• Is the physical equipment that they provide secure?
• What breach prevention measures are used?
• How is data stored? In what physical locations?
• Does the software use a hosted payments page? With a hosted payments page, credit card data is stored securely with a payment processor like Avatas, and the company website is handling only electronic “tokens” that are useless to a hacker.
The Side Door: Use Sound Data Management Practices
Companies need to manage their customer data with care throughout collection, processing and storage, according to Gagnon. That means storing it and disposing of it with care to avoid creating opportunities for hackers, thieves or even disgruntled employees. “Never write down credit card numbers. Never leave important data on your desk,” Gagnon said. “If it is left on the desk and a cleaning person or outside person comes by, that is a potential breach that a credit card company cannot protect you from.”
Here are some of steps that she recommends.
• Store data electronically and not in printed documents that are overly accessible.
• Collect customer data online and via Interactive Voice Response (IVR) over the telephone.
• Limit employee access to customer data and make it available to employees on a need-to-know basis.
• Maintain strong protocols for storing data and disposing of it.
• Store data in a physically secured location with restricted access.
• Run background checks and credit checks on employees.
The Windows: Use Effective Internal IT and Processes
Companies must attend to their security basics to prevent vulnerabilities inside their walls and on mobile devices, according to Gagnon. Every software user and every unsecured computer in the company can create a data theft opportunity by using passwords that are easy to crack – or that are even written down in their desks – or by inadvertently introducing malware to the computer network. To keep the data and network safe, Gagnon offers this advice.
• Require individual user IDs and passwords to restrict access, provide tracking and enable an administrator to shut down an account after an employee leaves the business. (“If something happens, you’ll know who it was that did it,” Gagnon noted.)
• Require strong passwords.
• Keep anti-virus software up to date and use it.
• Don’t keep sensitive information on computers, which can be stolen and accessed later by criminals.
• Use firewalls to protect servers.
“We want companies to protect their data and stay in business,” Gagnon said.