Card Data Security: The Harsh Reality for Retail SMBs
Funds are tight as it is, and most would argue that the money is needed to operate their business. Many SMBs I work with struggle some months to cover the litany of expenses just to keep their doors open. Then there is the other side of the coin, SMBs who are doing well, making money, and investing in their company’s growth. Many businesses focus on everything BUT their payments and data security infrastructure.
The Harsh Reality
-The US has the highest average total organizational cost of a breach at $5.5+ Million.
-37% of breaches are the result of a malicious malware or other virus or CRIMINAL INSIDERS.
-62% of the data stolen when a business experiences a data breach is credit card data.
-E-commerce websites are the number one target for hackers.
-The average malicious data breach takes 80 days to detect and 180 days to resolve.
-Business with 1-500 employees comprise 41% of all attacks.I am parading these numbers in front of you because SMBs are targeted often and have the most to lose. They are also targeted because they are the easiest to infiltrate and usually do not possess the resources to quickly catch the intruder. The cost of a breach will put most SMBs into bankruptcy. The Symantic ISTR report goes on to tell stories of businesses that were forced to seek bankruptcy protection, because the costs associated with the breach were, as the report states, “prohibitive”.
If you are a SMB, calculate how many unique transactions you run in an 80-day period of time and multiply that by $199. Consider this number the low end of what a breach would cost your organization.
Simple steps to secure your business?
Your organization’s Local Area Network, LAN, is the doorway into your business. Like the example in the story at the beginning of this article, if someone can get past your LAN’s firewall and access your IP address, it is game over and you’re breached, the hacker will have their way with you and, most importantly, your valued customers’ data.
– Have a clear understanding of all the devices that connect your LAN to the internet and know what your exposure is. If you are the owner of a company and don’t have any idea about how your network is secured, consider this your wake up all and take the opportunity to find out.
– Know who has access and control over your network. 29% of data losses were accidentally made public and 9% are due to insider theft.2. BECOME PCI COMPLIANT:
One of the most simple ways to begin determining how secure your business is, is to take the PCI Compliance SAQ and scan your IP addresses. Call your current credit card processor and ask them what services they provide to accommodate this. My company provides these resources to our merchants at no cost through an online portal that allows you to take the PCI SAQ, as well as enter your IP address to be scanned. I would imagine most processors offer this service by now, hopefully at no cost. Scanning your IP addresses will determine whether or not they are secured, as well as if there are steps to remediate.3: BEST PRACTICES:
Develop processes and procedures on how sensitive data is handled and secured. By putting together best practices regarding sensitive data, you can protect your business simply by understanding the flow of information, who has had access to it, and where possible internal vulnerabilities reside. Maintaining these are a part of being a PCI compliant organization. It is scary how many businesses have no plan or even clue as to how sensitive data is handled within their organization.
4. BRING IN AN INDUSTRY EXPERT:
Bring in an outside firm. There are hosts of companies that can assist you with securing your network. These experts will assess your network, find the vulnerabilities, and propose methods and technology to keep your organization from suffering any losses.