How to Prevent the $4 Million Mistake
The average cost of a data breach is $4 million. Without digital security as a core competency at your firm, you could be risking it all.
As director of Security & Infrastructure at ClientPay, Austin Park understands what it takes to safeguard sensitive information and why those protections are necessary.
“Every day, big and little companies are being breached,” Park explained. “The worst attacks are coming from nation-states with unlimited resources. How can a small or large company protect itself from a nation-state with unlimited resources? It’s not just activity on the dark web; companies are being targeted by foreign adversaries.”
With 20 years in the technology industry, Park’s perspective is based on experience. He oversees ClientPay’s security, compliance and cloud-based infrastructure.
“I’m not an alarmist, I’m a realist,” he said.
Park said some firms fall short in their efforts to keep A/R data and processes safe.
“When it comes to A/R processes, most companies approach security by purchasing a system or software, and they depend on whatever features the software has,” Park explained. “A lot of the software is feature rich, and security is an afterthought.”
He added that some firms also have poor practices around password management, such as storing passwords in Excel sheets, on paper or in email.
“Other sensitive information with A/R data, like account data, is still stored in spreadsheets,” Park added. “Sometimes multiple people use the same password. If there’s a ‘bad apple,’ there’s no way to audit if people use shared credentials.”
Even if internal practices are sound, the threat of data breaches looms large.
“The hackers and nefarious people are improving and getting more sophisticated in their attached,” Park said.
Understanding PCI Compliance
To protect sensitive information, businesses handling clients’ financial data must meet strict requirements. In particular, businesses that accept credit cards must be Payment Card Industry (PCI) compliant.
Shorthand for Payment Card Industry Data Security Standard, PCI refers to a set of stringent standards around how businesses accept credit cards and store card data.
“Visa, Mastercard, AMEX and Discover got together and said, ‘Security is a big deal; we have to get standardized in what we do,’” Park explained. “There are 12 core PCI requirements, with more than 220 types of things to adhere to.”
Park knows these extensive requirements well; he led ClientPay’s initiative to become compliant in PCI Level 1 standards, the most rigorous security level available. The requirements address areas ranging from firewalls to business and security processes.
“The whole gamut is to protect cardholder data,” Park said. “PCI isn’t a government regulation; it’s the credit card industry self-policing. If you want to use a credit card in your business, you have to follow these standards.”
Banks and card issuers strongly enforce compliance, and the penalties for noncompliance are steep.
“If you break the rules, your business can no longer accept credit cards as payment,” Park explained. “It’s enforced by credit card companies and by the PCI Council that came up with and set the requirements.”
Building Confidence in Data Protection
A recent ClientPay survey found that 19% of law firm A/R professionals’ firms take only minimal steps, or no steps at all, to manage PCI compliance. Additionally, 15% of respondents expressed moderate to low confidence that their clients’ data is adequately protected.
Park said he was not surprised by the findings, given his cautious perspective as a security professional. He explained the risks these firms are taking on.
“The average cost of a breach is $4 million,” Park said. “The cost of compromised customer records is about $150 per customer. Beyond the dollar aspect, the other aspect is reputation loss. Especially for smaller companies, if you lose your reputation, you’re kind of a number. You’d better protect yourself because most companies can’t weather a breach.”
For businesses that aren’t confident in their data security measures, Park explains ways to strengthen them.
“The best thing to do is to work with a partner who really takes security seriously,” Park advised. “It can’t be just a bullet point or check box. Do your due diligence, and understand how seriously a potential partner takes security.”
Park said potential business partners should be able to answers questions such as: Are you PCI compliant? Do you have security people on staff?
“Stay away if they can’t answer those questions,” Park warned. “Security should be a core competency in a company.”
Park shared how firms that partner with ClientPay benefit from the company’s Level 1 PCI compliance.
“It’s a significant investment in security,” Park said. “We spend more than $50,000 a year on software.”
ClientPay customers are able to leverage this investment, as well as the resources and expertise backing the compliance efforts, to better protect their clients’ financial data.
“Every year, we undergo a PCI audit,” Park added. “We hire an external auditor, who is sanctioned and authorized by the PCI Council. On top of that, we hire a company to do a penetration test. They’re white-hat hackers who discover vulnerabilities. We try to break our system in a safe way to harden it even more.”
Further strengthening these measures are Park’s credentials. He has earned two key levels of security certification: Certified Information Systems Security Professional (CISSP), the world’s premier cybersecurity certification, and the Certified Information Security Manager (CISM) certification, a globally accepted standard of achievement for professionals who manage, design and assess an enterprise’s information security.
“Clients can be confident when they process with us that we did our best,” Park said. “To be PCI compliant, we have to comply with rigorous things. The core stuff is on us when we work with clients; all they need to do is be PCI compliant. In a way, they become more secure in general when working with ClientPay.”
It comes down being able to trust business partners.
“Businesses are all about relationships and partners,” Park said. “Make sure a partner is protecting your data, and make sure security is the number-one or top-two thing that a company stresses when they’re trying to become a potential partner. If security isn’t among their competencies, it comes down to the weakest link in a chain. If your security is rock solid but your partner’s security isn’t, then it’s not bad on them, it’s bad on you.”