by Peter Lipa, Regional Director for the Americas for Sticky Password
Talking with small business owners, all too often I find that they have an authoritarianmentality in regards to their customers, as in: “the more customer data I have, the greater control I have over them!” This is particularly true of online businesses, where customers (and their money) are hidden behind the virtual invisibility of the Internet. (I intentionally do not use the word anonymous, because the Internet is anything but anonymous!) The thinking being that more data/information will hopefully translate to more opportunities to monetize all those contacts.
The desire to create ties that bind is understandable, but is it even effective in today’s online world of permission marketing (i.e. where customers and potential clients sign up to receive specific email notifications from businesses they like, in the hopes of minimizing unsolicited spam from brands and organizations they don’t care about)?
I don’t know about you, but I don’t consider my home address, or even my date of birth, as an appropriate cost to receive an email telling me a new blog is up. Why isn’t an email address – entered twice, to make sure it’s correct – enough to ensure that I’ll get the latest news and offers from Acme Widget Company?
Given all the options available online to customers today, why do some businesses still think it is acceptable to require potential customers to create password-protected accounts just to read a blog? While undoubtedly interesting, is the information being shared in the blog so sensitive or valuable that I have to create another password-protected account to read it? That’s not a hypothetical question. If it’s the information in your blog that you’re charging for – i.e. that’s your product – then by all means go ahead and tie it to private accounts. But, if your blog is basically a marketing tool, then don’t do it.
But beyond the annoyance factor – which is no small thing – the issue of security is much greater.
The frequent news of cyber attacks on huge corporations is a strong reminder to all businesses that they are responsible for all customer data that they ask for. Businesses sometimes downplay the threat to their small business and neglect important aspects of Internet security because they think their business is under the radar of hackers. In reality, there is no under the radar for bad guys.
Let’s take a look at 5 best practices for taking care of customer data:
Even though customers may be willing to give you their personal details, ask yourself if you really need specific data before you start collecting it. Don’t ask for information unless you have actual plans to use it. If an email address will do, then don’t ask for a home address or telephone number.
2. Limit access to the data. Make sure that only colleagues and employees that have a ‘need to know’ are able to access your customers’ data. No exceptions.
3. Don’t ask visitors to create password-protected accounts unless it’s really necessary!
Customers who don’t think there’s a valid security reason for having a password for a site tend to use silly authorization credentials or to re-use passwords from other sites.
With so many password accounts, it’s easy for people to get lazy about using strong unique passwords. Not only does that put the customer’s accounts at risk, it also becomes a weak point in your security.
If you really do need passwords to restrict access to your website, then make sure you require customers to follow best practices in creating their passwords.
Implement an automated password system that:
- disallows obvious notorious weak passwords like 123456, qwerty, Princess and other dictionary words
- requires a minimum of 8 or more characters
- requires that each password include a mix of letters, numbers and special characters
- never sends passwords to your customers in plain text in an email
- supports a limit on the number of failed attempts to access an account
- notifies you of unusual activity
- supports automated password resetting
Even if you are the owner of the business, you should never know or ask for a customer’s password!
Let your customers know that you take passwords – and the security of their data – seriously.
4. Be responsive and make it easy for your customers to get in touch with you when they have a security question.
5. Don’t go it alone. Unless you’re in the business of online security, you shouldn’t try to wing it when it comes to the security of your customers’ personal data. This isn’t an area where you should try to save a few dollars by hiring your neighbor’s son or daughter who’s a wiz with computers. The potential risk isn’t worth it. Make sure you engage a responsible service that will be able to help you if something goes wrong.
About the author:
Peter Lipa is Regional Director for the Americas for Sticky Password, a password manager (https://www.stickypassword.com/). Find out more about passwords, privacy and security on the Sticky Password blog.