Card Data Security: The Harsh Reality for Retail SMBs
Last week I was having a meeting with the CTO of a 130-location retail business. This gentleman, whom we’ll call William, is way ahead of the curve as it pertains to his knowledge and insight of payments, POS systems and network security (he is truly a pleasure to speak and work with). The private equity company that owns his current employer recently purchased a new group of restaurants on the east coast. They sent William to assess the current state of technology within the restaurants. Within five minutes of inspection William noticed Linksys routers (the kind you get at your local big box electronics store) sitting next to their relatively new POS systems servers. William asked the current (probably not for long) IT guy if those routers were secured, to which the IT guy responded with a timid “Yes..by the firewall provided by the manufacturer.” Dumbfounded, William realized that the only line of security between the restaurant’s network and the world, was an out-of-the-box firewall. William self-admittedly does not even possess the skills of a low-level hacker, but within 5 minutes he was able to bypass the firewall, access the restaurant’s network, and secure their IP addresses. For those of you who may not know, once you are this far, installing malware/keyloggers and stealing sensitive data is not difficult.This story can be told about thousands of small to medium sized businesses (SMBs) in the US.
Funds are tight as it is, and most would argue that the money is needed to operate their business. Many SMBs I work with struggle some months to cover the litany of expenses just to keep their doors open. Then there is the other side of the coin, SMBs who are doing well, making money, and investing in their company’s growth. Many businesses focus on everything BUT their payments and data security infrastructure.
The Harsh Reality
These statistics were taken from the 2014 Symantic Internet Security Threat Report, and this is just a fraction of the data in the report. I would encourage anyone who is interested in taking a deeper dive into this topic to download the full 97-page report. Caution, it is scary.-The average cost to a business that suffers a breach in the US is $199 per record.
-The US has the highest average total organizational cost of a breach at $5.5+ Million.
-37% of breaches are the result of a malicious malware or other virus or CRIMINAL INSIDERS.
-62% of the data stolen when a business experiences a data breach is credit card data.
-E-commerce websites are the number one target for hackers.
-The average malicious data breach takes 80 days to detect and 180 days to resolve.
-Business with 1-500 employees comprise 41% of all attacks.I am parading these numbers in front of you because SMBs are targeted often and have the most to lose. They are also targeted because they are the easiest to infiltrate and usually do not possess the resources to quickly catch the intruder. The cost of a breach will put most SMBs into bankruptcy. The Symantic ISTR report goes on to tell stories of businesses that were forced to seek bankruptcy protection, because the costs associated with the breach were, as the report states, “prohibitive”.
If you are a SMB, calculate how many unique transactions you run in an 80-day period of time and multiply that by $199. Consider this number the low end of what a breach would cost your organization.
Simple steps to secure your business?
1. KNOW YOUR NETWORK:
Your organization’s Local Area Network, LAN, is the doorway into your business. Like the example in the story at the beginning of this article, if someone can get past your LAN’s firewall and access your IP address, it is game over and you’re breached, the hacker will have their way with you and, most importantly, your valued customers’ data.
– Have a clear understanding of all the devices that connect your LAN to the internet and know what your exposure is. If you are the owner of a company and don’t have any idea about how your network is secured, consider this your wake up all and take the opportunity to find out.
– Know who has access and control over your network. 29% of data losses were accidentally made public and 9% are due to insider theft.2. BECOME PCI COMPLIANT:
One of the most simple ways to begin determining how secure your business is, is to take the PCI Compliance SAQ and scan your IP addresses. Call your current credit card processor and ask them what services they provide to accommodate this. My company provides these resources to our merchants at no cost through an online portal
that allows you to take the PCI SAQ, as well as enter your IP address to be scanned. I would imagine most processors offer this service by now, hopefully at no cost. Scanning your IP addresses will determine whether or not they are secured, as well as if there are steps to remediate.3: BEST PRACTICES:
Develop processes and procedures on how sensitive data is handled and secured. By putting together best practices regarding sensitive data, you can protect your business simply by understanding the flow of information, who has had access to it, and where possible internal vulnerabilities reside. Maintaining these are a part of being a PCI compliant organization. It is scary how many businesses have no plan or even clue as to how sensitive data is handled within their organization.
4. BRING IN AN INDUSTRY EXPERT:
Bring in an outside firm. There are hosts of companies that can assist you with securing your network. These experts will assess your network, find the vulnerabilities, and propose methods and technology to keep your organization from suffering any losses.
Bottom line is that falling victim to a hacker or internal criminal attack is a very harsh reality. Is it a pain to go through? YES. Can is cost you money? YES. Is taking some simple steps more costly in time and resources compared to a data compromise? NO. We need to secure our businesses for the same reasons we pay for health and life insurance. We may not need it today, but it’s a guarantee we will need it at some point sooner than later. Most of you reading this have probably felt the effects of a data breach already. The next time you get a new credit card in the mail with a letter that tells you your card may have been compromised, remember that costs a business about $200, on average. Don’t allow yourself to be a victim of negligence. Take the time to understand your liability and take the appropriate action from there.
About Perry T.: Perry Tatooles is a 10-year veteran of the merchant services industry. He currently manages several sales channels for TransNational Bankcard. In his many years of service, he has worked with thousands of merchants ranging from Fortune 500 companies to startup sole proprietorships.