How To Prevent Data Breaches
The recent catastrophic data breach at Target has highlighted to businesses large and small the very real problem of cyber-attack on modern commerce. To further add to Target’s woes, their breach notifications to customers were a perfect example of what not to do and were wrong on pretty much every level.
Users are forever being warned not to click links in email messages which appear to be from large financial institutions and the like. These are often phishing scams and in the wake of a really monumental data breach they will often appear in droves. Many actually look legitimate and very convincing but security experts insist that a reputable company would not send out such emails to its clients with a request to click on a link. Unfortunately, Target did exactly that.
Their email actually went out to people who were not even Target customers, making it look even more dubious. Suspicions were further aroused by the use of a shady-looking subdomain, “target.bfi0.com” and requests for users to click on a link which appeared to be a list of random gibberish. Furthermore, the email address used to send out the mailshot looked suspicious in the extreme. In short, this perfectly genuine breach notification email sent out by Target could easily be mistaken for a well-executed phishing attack. Consequently, Target is now struggling to rebuild not only its customer trust but now its own credibility.
Learn from Target’s catastrophic error of judgment and don’t make the same mistake if your company is ever in the unfortunate position of having to notify customers of a security breach. Your notification email should originate from a domain that is instantly recognisable as your company. For example, my Web domain is “theladywriter.co.uk”, so my notification email would be sent from “firstname.lastname@example.org”.
The notification should state clearly what has occurred and offer a simple explanation as to what information has been compromised. You should advise customers as to what they should do to determine whether or not they have been affected and how to protect their personal data. By all means offer a telephone number for customers to call for reassurance and further information, but under no circumstances include a link that customers are expected to click on.
Data breaches unfortunately do happen despite the best efforts of companies to avoid cyber-terrorism and hacking. When they do occur though, it’s vital that businesses respond appropriately and correctly; unlike Target who unwittingly just made a bad situation ten times worse.