Online criminals have been drawing a bead on small businesses’ point-of-sale terminals—what are you doing to protect yourself?
Maybe not as much as you should. A recent industry study by Ipsos Reid showed 40 percent of the small business owners told researchers they have no protocols in place for securing data, a 5 percent increase from 2012. (Scarier: Nearly 70 percent of small businesses surveyed said they didn’t believe that data being lost or stolen would hurt their companies financially or harm their reputation.)
Though point-of-sale (POS) breaches at large companies like TJ Maxx, Subway, and Barnes & Noble have made national news, attacks are adding up at smaller enterprises. Symantec’s 2013 Internet Security Threat Report claims targeted cyberattacks increased by 42 percent last year, with nearly one-third aimed at businesses with fewer than 250 employees. Experts say many more go unreported out of fear of reputational damage or a customer backlash.
Yet mobile-payment technologies are enabling the expanding array of POS registers, from smartphone-based systems and quick response code-enabled purchasing to e-wallets and iPad-based checkouts, with hordes of new users who are often unfamiliar with best practices when it comes to security.
“Part of the problem is that technology seems to be getting ahead of the ability to secure it,” says Jarred White, manager of security engineering services at ControlScan, an Alpharetta, Ga.-based provider of payment-security and compliance solutions. “Technically speaking, mobile’s nothing that we aren’t already accustomed to dealing with, but the distribution model is different, the underlying platforms are a little different, and mobile security professionals haven’t spent a lot of time looking at the security. And that’s what concerns me—how far behind the industry is when it comes to best practices around those technologies.”
And it’s a scary place out there for those with vulnerabilities. The methods of attack seem endless—breaches via WiFi, phony “skimmer” devices, keyloggers, “spear-phishing” emails, and malware, malware, malware.
“We’ve been talking about ‘hockey stick’ growth of malware for a few years, but malware has yet to even slow down a little bit,” says Mark Bermingham, director of global product marketing at Kaspersky Lab. “The guys that write malware are always going to follow the path of least resistance. And one of the challenges for the small business owner is that, for a few years now, many have been saying ‘Why do I have to worry?’”
So what are the best practices to attempt to stay ahead of the bad guys? A talk with a few professionals on the front lines suggests what to focus on.
This is the heart of the card-payment industry’s defense against crime. The Payment Card Industry Data Security Standard is a list of requirements that apply to all merchants that process, store, and/or transmit cardholder data. The rules are strict, but they’re also the first line of protection for your business, your customers’ information, and a firewall against possible penalties in the event of a data breach, provided that your system is in full compliance. The standards are overseen by the PCI Security Standards Council, a governing body that, among other things, also vets the security of manufacturers’ POS devices and recommends safe payment applications (known as PA-DSS).
ControlScan’s White says trouble often occurs when a business doesn’t make the time and effort to maintain and update their systems. “They make excuses when, say, the system has to be taken down for two hours to implement the changes,” he says. “They say ‘That’s two hours of e-commerce or swiping that we’re losing.‘ Or they don’t want to stay up from midnight to 3 a.m. to do it. For them, their bottom line is running a business, and not being a security expert. But really, there is a balance that needs to be struck.”
Install anti-malware software and update it
“It doesn’t take much to be secure enough to make hackers want to go elsewhere to find someone who hasn’t chosen to be secure enough,” Kaspersky’s Bermingham says. So, get proactive. He points to a combination of three measures for a semblance of peace of mind: 1) “whitelisting,” security programs that make only an index of known, safe software available for download; 2) application-control management, which employs that same standard for trusted apps on computers; and 3) strong anti-malware that uses cloud computing to offer near-real-time protections. Why? Bermingham says that as the IT security industry has become better at spotting scams in progress, many hackers recognize they could be caught quickly and plan accordingly. “The guys issuing this malware recognize they may only have an hour or two, but that’s enough,” he says.
Don’t forget to patch. Choose security software that offers automatic patch management and vulnerability scanning. This will ensure users and administrators are always up-to-date and fully notified about any newly discovered weaknesses in programs their machines are running, which could potentially be exploited by cybercriminals.
Harden your technology setup
Keep POS systems and guest WiFi networks separate. Better yet, White says, put them on networks on separate routers. In a brick-and-mortar shop, hide all of the gear away in a locked room or large secure container, to avoid snooping visitors and limit access to the equipment. (The PCI-DSS actually requires the latter.)
Use stronger passwords
First off, don’t use one of these top 25 most popular passwords. All the security measures in the world won’t matter much if the simplest step to take is undermined by sheer laziness. Also, ditch the out-of-the-box default passwords immediately on all devices. Passwords for POS registers should be changed every month and should in no way match the business name or public WiFi access codes. Go off-dictionary, work in some numbers and punctuation, and, whatever you do, don’t write it down and stick it in a place where unauthorized people can see it. Have trouble remembering? Here’s a good guide to password managers.
Educate your staff
Employees can be an excellent line of defense. Be upfront about why policies are in place and how procedures are to be followed. Staffers armed with information about possible threats could later save the day with an early warning about suspicious behavior, fishy calls or emails, or something that seems out of place. (Show them this fantastic infographic from Merchant Warehouse.)
How can you put your trust in staffers, particularly in positions with a lot of turnover?
White says he’s seen demand for awareness efforts. “I think there’s a lot of value in training employees and showing them what they’re protecting,” he says. “The business owner has it in his or her best interest to make them aware of what the risks are, but also to the danger to the business. As in: How can a negative incident hurt our business and, in turn, your job? Not just that you made a mistake and could face disciplinary action, but that the business could take a serious hit financially or to its reputation and could have to shutter its doors.”