“Best practices” are intended to be a good thing — the gold standard we should all strive for. But they can be a source of frustration for smaller businesses and their marketing teams. Reading about your industry’s best practices can be a lot like having someone tell you that you should spend the summer touring Europe when you’d be happy if you can get your family to the nearest beach for a long weekend.
One reason for that frustration is that a lot of people see best practices from an “all or nothing” framework. They decide that, since they can’t afford the whole nine yards, they just won’t worry about it. But that’s a short-term view, especially when it comes to something like your company’s online integrity. That integrity faces a number of challenges, ranging from data breaches and regulatory requirements to customer demands and branding consistency across channels.
“Digital integrity” might not make you sit on the edge of your seat with excitement. Nor will “digital policy” make it into the top three spots of dinner conversation topics. But both should be on your radar screen now because it is easier to put a bit of work into it today than to try to figure things out in panic mode after there’s been a breach. So here are some things that you should consider.
What is digital integrity?
“Digital integrity” refers to the ways in which you manage your company’s digital presence: what it is, where you keep it, who can access and manage it, etc.
Why is digital integrity so important?
Your online presence is the face you present to the world. The information needs to be accurate. The branding needs to be consistent. It needs to be in line with your business strategies. And it needs to protect the customers who place their trust in you. That’s especially true when it comes to data breaches.
Having digital integrity in the context of data breach means that you are protecting your prospect and customer data from a number of bad actors trying to steal it. In 2015 alone, almost 160 million records containing sensitive information were compromised. And if you think you’re too small to be a target, you’re wrong. Small businesses are the target of 43% of all cyber attacks. Most criminals understand that small businesses don’t have the resources to enact security on the same level as a large enterprise. Unprepared businesses are the proverbial low-hanging fruit.
There’s another statistic about small businesses that’s even scarier: 60% of small businesses that suffer a breach shut the doors within six months. Small businesses just don’t have the liquidity to absorb the overwhelming costs associated with mitigating a data breach.
Whose job is it?
While enterprises may have entire departments dedicated to their data security, in small organizations the responsibility tends to fall on the person who first realizes the enormity of the risks and is motivated enough to take action. Eventually, however, a thorough digital policy will need to include marketing, information technology, loss prevention, human resources, and sales, with one individual having the official responsibility for getting the policy written and implemented. Your organization can develop its policy without outside support, but only if you have the expertise in house.
So is there an “essentials” version of the best practices?
Obviously, the more thorough your policies are, the safer you, your partners, and your customers will be. But you have to start somewhere. If you’ve been taking your chances and hoping for the best, the first thing you need to do is examine your risks in detail. To continue with our data breach example, here are some things you should consider:
Do you accept online payments and/or in-store credit card purchases?
There are strict standards for how payment information is procured, processed, and stored. These standards are a collaborative effort between credit card brands and the PCI-DSS (Payment Card Industry Data Security Standards) Council. The Council has some great resources specifically designed for small businesses.
Where do you operate?
While the PCI Council sets global standards, standards aren’t the same as laws. Laws vary from state to state. And when you operate across national borders, that adds several additional layers of complexity. You could be compliant with one nation’s laws while being in violation of the laws of several other countries.
And that’s just for processing payments. Each country also has its own laws for things like accessibility, ownership, encryption, notification, cookies, etc. Professional legal advice may be necessary to help you navigate these treacherous waters.
How secure are you today?
Knowing where you are today gives you the baseline for what still needs to be done. That includes asking questions like:
- What security protocols are in place to prevent data breaches?
- How many attacks have those protocols prevented? What kind of attacks were they?
- How are breaches detected?
- How are they stopped, and how long does it typically take?
What will you do if when there’s a breach?
The severity and damage can vary, but some kind of breach is inevitable. When that happens, you won’t have time to figure out what to do. You need an action plan that can be implemented immediately, covering everything from how you stop an attack to how you notify customers whose information may have been compromised.
A digital policy that winds up as a random PDF file on your intranet or shared drive doesn’t accomplish anything. A true digital policy is actionable and sustainable. That means asking yourself questions like:
- Which jobs or job functions are affected by this policy?
- What changes need to be made so that the people in those jobs can apply the policies in their day-to-day business processes?
- How will you communicate the new policies, and where will they be kept?
- Who will monitor compliance, and how will that be done?
- How will you maintain the policy’s relevance by staying in touch with new laws, trends, breaches, etc.?
It also means taking the answers to these questions and making them actionable for the organization by educating and mentoring those who must adopt the policies.
Let me emphasize that I’m not describing an ideal approach to digital integrity. On the contrary, what I’ve described is a very basic, nuts-and-bolts approach, because data breaches are just a single example among a long list of online issues that you ought to consider. However, you have to start somewhere. These are some of the most critical issues that every business, no matter how small, needs to think about. Hopefully, this will be a resource to help you get started in your planning for a data breach.