Small to Mid Size Businesses The New Target for Hackers
Monday, February 23, 2015
Before the Target breach, which shook the data security industry to the core, many big companies didn’t see the need to make security a top priority. Many executives thought “good enough” was enough to protect them and their customers.
Target is paying nearly $200 million for its breach, and the big-box retailer’s Q2 earnings of $234 million are dismal compared to earnings of $611 million in the same period last year. The cost of being “good enough” is no longer good enough.
Because of the media coverage the Target breach has received, many large retailers have refocused their priorities and are now putting security at the top of the list. As large businesses gin up security practices and software, hackers have started to migrate to small- and mid-size businesses (SMB), which unfortunately, too often view data security as an afterthought. Or owners want to increase their protection, but cannot afford to, resulting in SMBs becoming the new target for hackers.
The Threat to SMBs Is Real and Growing
According to the 2013 Global Security Report by Trustwave, 71 percent of small business owners were victims of a data breach because they are the least equipped to protect themselves against an attack. Additionally, hackers want to stay under the radar of those authorities investigating and looking for high-profile convictions. Hackers have also realized they can steal as much card data from 10 smaller merchants as a single large merchant. And authorities don’t have the resources to thoroughly investigate 10 smaller breaches vs. one large highly publicized breach.
What should be scary for SMBs is that of those businesses that suffered a breach, 60 percent close their doors after six months, according to Experian.
And while the financial responsibility of a data security breach may fall today with the bank or even a credit/debit card processor, after the October 2015 EMV (Europay, MasterCard and Visa) deadline, the financial burden will lie solely with the retailer if they are not EMV compliant and cannot receive chip and pin cards.
With technology being so prevalent in all businesses, few can afford to leave their business and assets unprotected. And hackers are becoming more sophisticated every day, so SMB owners have to stay a few steps ahead of them because breaches are not going away. Case in point, there were 91 breaches reported in the first 43 days of 2014, according to the Identity Theft Resource Center. So, if you think you can’t be breached, you’re being naïve.
What Can Retailers Do?
One way to outsmart the hackers is by implementing a three-pronged approach to security. We recommend a combination of EMV, end-to-end encryption technology and tokenization. We call this combined effort Heartland Secure™.
So, why do we recommend a three-step approach? Simple. The reality is that no single countermeasure is enough, which is why merchants need to move to a more comprehensive approach. EMV is a good first step to data security breaches, but unfortunately, it’s not enough to prevent future attacks by sophisticated hackers. EMV alone would not have prevented the Target breach because the theft occurred as a result of malware in the POS that interfaces Target’s signature pad payment devices.
EMV is simply an electronic chip card technology that proves a consumer’s card is genuine. End-to-end encryption technology immediately encrypts card data as it is entered so that no one else can read it. And tokenization technology replaces card data with “tokens” that can be used for returns and repeat purchases, but are unusable by outsiders because they have no value.
Invest Now or Put Your Business at Risk
Most SMB owners see the value in data security, but many cannot afford the upgraded software. In a 2013 survey by the National Small Business Association, 44 percent of small business owners cited the cost of upgrading technology as one of their biggest challenges. But if you’re a business owner and you’re not implementing the proper measures for data protection, you’re opening yourself up to a huge risk.
The combination of EMV, end-to-end encryption technology and tokenization is the best protection available.
Outside of working with your credit card processor to deploy more advanced countermeasures, here are some common sense rules to make your business secure:
Keep your security software up to date by making timely firewall updates.
Change your passwords frequently and use strong passwords to help keep the bad guys at bay.
Make sure your business is PCI compliant. A large majority of breaches happen because the merchant was not PCI compliant at the time of their breach. Achieving PCI compliance is not a guarantee against keeping the bad guys out of your point of sale, but the numbers show that being compliant will put the odds in your favor.
Don’t browse social media or message friends on the same computer used to process financial information. You leave yourself vulnerable to breaches.
Don’t allow employees to log into computer networks remotely using easily stolen passwords or credentials.
Establish security guidelines. SMB owners should create data policies and offer training to ensure employees can handle sensitive and personally identifiable information. The National Cyber Security Alliance found that only 28 percent of U.S. small businesses have formal Internet security policies, leaving the remainder at risk.
All business owners should be proactive, not reactive, when addressing security threats. If you are at fault for a security breach, the business fallout can be severe, from fines and penalties and legal costs to the termination of the ability to accept payment cards. An SMB owner can also experience lost confidence, so customers go to other merchants, which results in lost sales and eventually going out of business. This article first appeared on the Retail TouchPoints website.