By Brian Pennington, Liaison Technologies
Anecdotal information shows that small businesses are just as likely to become victims of an attack as large businesses.
- Criminals do not discriminate, a dollar is a dollar and a credit card is a credit card, no matter where it is stolen from.
- Small businesses cannot invest as much in protection, management, procedures and processes as larger businesses.
- Smaller businesses are often the last to discover, understand and therefore achieve compliance, for example PCI DSS. Compliance is described as a painful process but PCI DSS offers a detailed and defined set of requirements which will allow a business to secure all types of information and not just credit cards.
- Malware (viruses, trojan’s, etc.) does not know the difference between small and large business, in an automated attack malware tools just look for weaknesses.
- The hospitality industry is frequently targeted by criminals because they know there is a high level of staff attrition in an industry with a high proportion of smaller or franchised businesses. Read my article Fraud could be costing UK hotels over £2 billion a year.
Avivah Litan, in her recent Gartner blog, recounts the story of a small restaurant in Winchester, Kentucky which had a data breach involving credit cards.
The story so far looks like the criminals gained access to the store’s systems remotely and siphoned off the cards’ magnetic stripe data and then creating counterfeit cloned cards which resulted in thousands of dollars in fraud and affected a high percentage of the town’s population, and significantly almost 25% of the local police force.
The sad thing is, from my own experience of running a small business, it is customer loyalty that often makes the difference between being profitable and going bust. Incidents like this always affect a customer’s perception of the business.
Large businesses can employ a pr agency, send lots of letters, offer discounts and let a branch ride out the storm until people have forgotten about the breach, all of which a small business could not afford to do.
So what can small businesses do?
- The first thing is to assume is that you may become a target because the criminals use tools which try to find vulnerable business every minute and hour of the day.
- Ensure that your payment devices; terminals, tills, e-commerce solution, etc. are all Payment Application Data Security Standard (PA DSS) approved. The PCI website has a list of approved products and version, find the link here.
- Ensure you have the IT security basics in place, firewall, anti-virus, etc. and use the auto updates for the technology.
- Make sure all your IT devices, not just your desktops and laptops – but your tills and EPOS devices, all have their software updated/patched regularly. If it is available turn on auto-updates.
- Train your staff to understand what their responsibilities are and how to report issues and suspicions. A reward scheme might help.
- I know it is difficult for small business owners to find the time but read the PCI DSS guidelines and the Self Assessment Questionnaire (SAQ) but it is an excellent start to a secure business. If you have any questions about which SAQ is needed or any other questions ask your bank they are as concerned about your security as you are.