What you can learn from Westpac’s PayID crisis
With the recent breach of Westpac’s PayID in which around 100,000 customers’ details were breached, hacking is once again back in the limelight.
As an E-tailer, you might be feeling relieved that it didn’t happen to you, even proud of your own data security infrastructure. But before you go there, you might need to consider pride going before a fall and all of that.
No-one (not even the likes of Westpac, LinkedIn, FaceBook, etc) can control whether or not their business will be targeted by hackers, but you can certainly do better than relying on luck or pride to avoid massive fallout if the worst happens.
So where do you start?
For something so complex the first step of crisis planning is surprising basic -brainstorming.
Think of everything that could potentially go wrong. Think big, broad and deep. You aren’t just considering what will happen if your site is compromised, you have to think about what will happen if your suppliers have a breach or even your payment processing partners (credit card companies, PayPal, etc). Even if something happens to an entirely unrelated e-tail store, any potential security breach in your industry could lead to a loss of confidence on the part of your customers and impact your sales.
Why not employ someone to see if they can hack your systems, sites, etc. Sure it might cost some money, but it’s a great place to see where you’re vulnerable.
Once you’ve identified possible threats, it’s time to get proactive – some basics.
Make sure your site is backed up and backed up again – sure your host probably does it (best check), but back up using a secondary source too. AND test your (or your IT dude’s) ability to restore the site from scratch too.
Make sure your site’s and web hosting provider passwords are different, long and unmemorable. That goes for any other 3rd party app you use too – especially around online payments or client data. Using a password vault like LastPass.com keeps your passwords safe and on hand each time you log in.
Keep your site’s software/apps/plugins up to date. Yep, it’s a bit of a bugger keeping your themes, platforms (aka WP/Joomla/Wix, etc) and all your plugins up to date – they seem to need attention every other day and it’s easy to let them slide. But don’t. Hackers can pick which sites are vulnerable pretty quickly and if they can’t ‘brute force’ their way in the front door, they know they’ll often get in more easily through side doors.
Have someone check your office/home wifi security. Unsecured wifi is one of the easiest hacks around, that so very few people think about.
Keep offsite (or cloud) backups of your data and test regularly to ensure that they can be restored. If someone does manage to hack your site or your computer network, they could already have access to some of your personal accounts and may even have access to the computer or drive where your data back up is stored. Keep at least one back up at a physically distant location or on a secure independently managed cloud server to avoid having your primary point of contact with your customers permanently corrupted.
Make sure your team understand how to prevent issues in the first place and crisis protocol, regardless of the size of your team. Let them know what to look out for in terms of threats and inconsistencies and regularly update them on changes to the landscape. If you don’t have an IT staffer or a great IT contractor, have at least one person who spends a bit of time each week reading up on any new potential threats or scams that could affect you or your customers.
Get in contact with your partners and ask about their security. If you aren’t happy with what you hear and they don’t want to change anything you might have to consider changing/ending the relationship. Better to deal with the annoyance of reorganising your supplier than the total collapse of your business and systems because if someone else’s poor security.
And if something does happen…?
Be prepared. As we said before, you can’t control whether or not you are targeted, but you can minimise the damage. Have messaging ready to go and get in contact with your customers as soon as possible, let them know what has happened and what you are doing to fix the issue. Don’t leave them in the dark, they will inevitably find out and if they find out from someone else their trust in you will be irrevocably broken. You might even be up for some liability issues. Plus don’t forget if your business turns over more than $3M and you experience a customer data breach, you’re required to report it to the OAIC.
Contact those outlets that monitor cyber threats (ACIC, scamwatch, Federal Police), let them know what happened so you can help prevent it from happening to someone else. This act of goodwill shows strength and level-headedness to your clients and positions you as an advocate of increased cybersecurity in your industry generating some goodwill in the wake of what could have been a total catastrophe.
If you’d like to work with a 3PL partner who takes you and your customers’ security seriously, we’d be delighted to have a chat. You can call us on 02 6023 1700 or drop us a note via the form below.