From Nov. 27 through Dec. 15, 2013, approximately 40 million Target customers who used credit and debit cards to make purchases had their numbers stolen and then sold on the black market. Additionally, the company now reports that tens of millions more consumers may be affected as the heist also included names, mailing addresses, phone numbers, and email addresses..
As electronic security breaches go, this was of Epic Proportions. Just think of Target's potential losses: liability for possibly millions of dollars in damages; the cost to investigate and seal the breach, plus the likelihood that many upset customers will take their business elsewhere..
Target's misfortune should serve as a dramatic warning to take steps now for ensuring the security of your data. For small to midsize businesses, we recommend:
- All credit card transactions be outsourced to a reputable firm that provides auto-billing and related features ensuring compliance with PCI (payment card industry) standards.
- Never email or text credit card information (at best, read credit card numbers over the phone; otherwise, fax credit card authorization forms). That includes emailing spreadsheets and documents with credit card numbers contained within them.
- Avoid keeping customer and other sensitive information on file; that means keeping such info on your server, on your computer's desktop, in a spreadsheet or in a document is a NO NO! Credit card data should only be saved in an outsourced provider's secure database-one that meets PCI standards. Require that your employees sign an Acceptable Use Policy, which sets your company's policy regarding how your computer system may be accessed and used. (SynchroNet can assist you with designing and customizing an Acceptable Use Policy for your organization.)
If you're a healthcare provider, your Electronic Health Record - EMR / EHR will have its own built in security features, but who can access the system might still present a security issue. User lists contained inside of your application need to be carefully managed and reviewed on an ongoing basis by the practice administrator or one of the MDs. While we can't manage your EHR user lists, we can provide information, direction or assistance in securing such services. (Remember, SynchroNet is a qualified Business Associate of our healthcare clients, so we are under the same HIPAA compliance obligations as any medical service provider.)
We've got your back. As a SynchroNet client, know that we're already working hard to protect you via firewalls, security patches, network access lists, etc. But none of us can afford to relax. Talk with us and let us review your security groups & policies at least once a year. Your system integrity is our top priority, and on-going evaluation of your access user list and security is included in The SynchroNet Way.
Meanwhile, if you have questions or concerns, please contact us. We're happy to discuss your security policies anytime... and the more often the better!