Any time a company handles consumer data, and especially types of data that could be exploited for ID theft, that company has the responsibility to implement the strongest security controls and practices, or look at opportunities to outsource that part of the business that’s “high risk / high cost”.

An example is payment processing. “Mom and Pop” websites that use off-the-shelf or open source e-Commerce packages and process their own credit card transactions potentially carry a huge liability. The Payment Card Industry (PCI) Data Security Standard is in place to try to ensure that sufficient controls exist around payment card data, and these controls might be quite expensive. A better alternative might be to outsource payment processing to Paypal, Google or Amazon. Although there are structured fees around outsourcing of payment processing, this might be much less expensive than a full-on implementation of a PCI compliance program, which could run in to the hundreds of thousands of dollars even for a relatively small deployment.

The best approach is to look at the risk, look at the cost, and make a determination to move the risk, accept the cost and mitigate the risk, or accept the risk as part of doing business.

Too often, businesses accept risks that they don’t understand, and there are no clear guidelines on how much risk should be able to be accepted vs. mitigated — a clear example of this was the housing bubble and credit meltdown caused by companies that aggregated too many high-risk investments.

Pulling in a consultant is often a good way to make sure residual risk is properly sized for the business. If your company is accepting too much risk, a good consultant can identify that, qualify the risk, and help formulate a cost-effective remediation strategy.