SMART OPERATIONS Peter Pelland Every so often a truly important news story breaks into the public con- sciousness. One of those recent stories involved the unfolding cybersecurity breach at Equifax, one of the three American companies that compile the personal information that determines your credit-worthiness, your ability to obtain a loan and the interest rate that you will pay for that privilege. Of course, a legitimate question could be asked regarding what gives Equifax, Transunion and Experian the right to gather hyper-sensitive per- sonal and financial information on every American citizen alive today. We have certainly come a long way from the idealized days of George Bailey and the fictional Bedford Falls Building and Loan in the movie, “It’s a Wonderful Life,” when financial decisions were local and finalized with a handshake. In our modern times, it would seem that the minimum responsibility on the part of credit-reporting agencies would be to maintain iron-clad secu- rity standards to prevent our personal information from falling into the hands of malevolent third parties. In the recent Equifax incident, the personal security information of 143 million Americans was compromised. According to the Federal Reserve Bank, there are only about 125 million households in the United States.With- out question, you were personally impacted. Essentially, the names, addresses, dates of birth, social security numbers and more, for virtually every adult citizen in the United States, were compromised. In addition, investiga- tions have disclosed that credit card numbers of 209,000 individuals were hacked, along with personal identifica- tion numbers (PINs) for another 182,000 consumers. This all occurred two years after a similar, but smaller, security breach oc- curred at Experian, compromising “only” 15 million Americans.What did the credit-reporting industry learn in that time? Apparently how to wait months before reporting the incident, while providing an opportunity for three top Equifax executives to unload $1.8 million worth of company stock — after the breach was discovered, but prior to its announcement. It also forced Equifax CEO Richard Smith to resign, albeit with a more than $90 mil- lion golden parachute, according to Fortune Magazine. The impacts of the Equifax security breach upon individuals have been well-documented, including advisories to subscribe to free credit-monitoring services, change all of your passwords to unique strings of characters that are more difficult to crack, pay to freeze reports on your credit (only unfreezing the reports in specific instances, such as when applying for a loan) and to join into one or more of the class action lawsuits against the company. As a small business owner, on the other hand, what measures should you take to ensure that you are safeguard- ing the information of your customers to the best of your ability? There is no question that international cybercrim- inals tend to pursue larger and more lucrative targets; however, every business that conducts business online — not necessarily through its website, but through any Internet-based trans- actional application — is vulnerable and bears a responsibility for protect- ing its customers. The Federal Trade Commission offers a series of five areas of recom- mendation for how businesses should handle their customers’ personal information. The Massive Equifax Security Breach — and Your Response The first is an assessment of how your company handles personal infor- mation that is gathered from a variety of sources, including credit reports, employment applications and cus- tomer-provided data. How is it deliv- ered to your business, how broadly is it accessed within your company, and how and where is it stored? A particular area of concern is the processing of credit cards. Above all else, cybercrim- inals are looking for credit card infor- mation, social security numbers and banking information. There is no rea- son for most businesses to maintain records of that information in any form. Stop gathering information that you do not need. With the exception of very specific matters including employee tax accounting, there is no reason to ever ask for anybody’s social security number. Do not maintain records of credit card numbers. Those should only be gathered through a secure point-of-sale terminal or via a secure online payment gateway where you do not actually see the number, its expiration date or the security code. Never ask people to provide that infor- mation via email and discourage the common practice of taking that information over the phone. Because “we’ve always done things this way” is no longer an excuse. Keep all physical and electronic records secure. Paper records and backup files should be stored in locked rooms or file cabinets, with limited employee access to a limited number of keys. Electronic files should be encrypted and password-protected. Individual computers should be pass- word-protected, put into password- protected sleep or screen saver mode when left unattended and shut down at the end of each business day. Scan the computers on your network for vulner- able open network services. For exam- ple, if a computer is not intended to be used for the sending or receipt of email, the ports for those services 10 - November 2017 Woodall’s Campground Management should be closed on that computer. Every computer should also be running real-time anti-malware and anti-virus software that includes scans of incoming email messages for mali- cious content that might be disguised as routine file attachments. Never allow an employee who is untrained in basic security precautions to access and open email messages. Educate employees, and yourself, on the importance of password security. Use a “password safe” application with a highly secure master password and lock out users after a limited number of incorrect login attempts on any computer and any online application. Laptops and mobile devices are partic- ularly vulnerable due to their portable nature.They should never be left where they would be even momentarily visible to thieves and their access to secure information should be carefully limited. Using unsecured Wi-Fi access at airports and other public places is also an extremely risky practice. Always maintain proper disposal practices. We have all heard the old adage about one man’s trash being another person’s treasure. That was never as true as it is today. Paper records and disposable electronic media containing sensitive data should never go into the trash. These need to be run through cross-cut shredders or incinerated. When disposing of old computers and storage devices, all data must first be removed with a data- wiping utility. Simply deleting files leaves them recoverable by a thief. Did you realize that your office copier or fax machine contains a hard drive that stores its data? That data probably includes copies of your tax returns — and that data also needs to be wiped prior to the disposal of any such device. Finally,maintain a response plan in the event of a security breach. If a computer is compromised, immedi- ately disconnect it from Internet access, remove it from your network and then shut it down. Bring in an expert to identify and correct the vulnerability and assess any threats to personal information. If there have been compromises, immediately notify your customers and anyone else who may have been impacted by the breach of security. Do not repeat the Equifax mistake of hiding disclosure for months. PeterPellandistheCEOofPelland Advertising, a company that he founded in 1980 and that has been serving the family camping industry for more than 30 years.His company specializes in building fully respon- sive websites,along with producing a full range of four-color process print advertising for clients from coast to coast.Learn more about PellandAd- vertising at WCM