6 Steps to Protect Against a Data Breach

2014 wasn't a great year for retailers … at least, not if you were one of the many retailers that were hacked. Many retailers found themselves unprepared to deal with the aftermath of a hack, and likely could have done more in advance to protect customer data. As we move through 2015, every retailer should evaluate their cyber security strategy to avoid becoming another statistic. Below are six tips on how to mitigate the risk of a data breach so you can responsibly protect your company and its customers:

1. Implement two-factor authentication systems where possible. Two-factor authentication puts another barrier between your data and a hacker. Using two-factor authentication requires that a person have both the login information (username and password) and additional proof — e.g., a generated code, fingerprint, confirmation of a security notification. Even if a password is compromised, another step is required before someone can gain access to a system. Dozens of web services and many internal systems are now built to support two-factor authentication, and it's critical to stopping the advancement of an attack.

2. Change all passwords to randomized, stronger ones you don't know. All too often, attackers can easily gain access to a system due to a default password being left in place after installation or using a password that's reused in multiple apps. Ensure that every system and service has been updated with a strong, unique password, and that passwords are changed regularly, including when employees leave. You never want to know passwords, because if you or your employees know them, they can be phished from them. Consider implementing a password management system with single sign-on to help everyone comply with the company's security efforts.

3. Employ a hashing mechanism to better protect stored customer passwords. Rather than "storing" passwords in any form, retailers should modify systems to use a "hashing" algorithm to authenticate users. For example, when a customer creates an account and a password, a hashing algorithm is used to create a "key" that's then stored in a database. The next time the customer tries to log in, the algorithm is performed.

If the "key" in the database matches the "key" generated by the password the customer entered, access is granted. This prevents retailers from directly storing sensitive password information, and better protects customer data in a breach. To combat attacks, retailers should adopt leading technology, like the PBKDF2 hashing algorithm using a minimum of 100,000 rounds of hashing. This is known as "key strengthening" and companies should be prepared to upgrade that number in the future.

4. Follow breaches, and lock out users who have reused passwords. Follow breaches and use leaked password credentials and user names to check your applications. Lock out users who have reused a password that's been leaked publicly. When you lock them out, notify them of this, and how terrible an idea it is to reuse a password and recommend a password manager for them to install.

5. Invest in security in advance, not after the fact. According to a study released by the Ponemon Institute, the average data breach in 2014 cost $3.5 million, a 15 percent increase from the year prior. This number will likely continue to rise. Investigating, responding to and resolving a cybersecurity incident is time intensive and costly. Damage to your brand and reputation is also significant, and companies must spend heavily to regain trust. Having a security strategy in place with effective tools and an incident response team is critical to mitigating risk and reducing potential damage from a data breach, including financial loss.

6. Help employees understand risk and report issues. Educate employees on an ongoing basis about the different types of attacks, how to spot malicious websites and emails, and what your company's security policies are. And don't just rely on dry PowerPoint presentations. Sit down with employees one-on-one and show them what a phishing attack looks like. Regularly put employee knowledge to the test and do assessments to find weaknesses in your own systems. You should also ensure your IT department (or person) is proactively applying patches for all systems and software in use, and that employees have assistance when they must apply patches, too.

Unfortunately, there's no guarantee that your business won't fall victim to a data breach. However, the more proactive you are about protecting data, the harder it will be for a hacker to get the information they're looking for. Many of them are looking for an easy way in — i.e., information that's vulnerable and unprotected — so following the guidelines above will help make it more difficult to hack your systems, allowing you to better protect your company's assets and respond more quickly to threats.

Joe Siegrist is the CEO and co-founder of LastPass, a password management service.