Crimeware, malware and hacking that targets financial details to steal money from unsuspecting users accounts and credit cards, is not all just about high profile targets that hit the headlines. The thieves have a new target in site: Small businesses.
When you think about it, that makes sense from a perpetrators perspective: SME/SMBs spend a fraction of their resources on computer security, and oftentimes, nothing what-so-ever, and also rarely have in-house expertise to guide them. But they do have a steady stream of credit card data going through their networks, and due to their lack of spend on security, sometimes that data is just ripe for the picking.
Things are made all the more easy by the fact that small businesses embrace new technology, such as tills that are actually computers, to make their retail and front-of-house job easier, but lack the resources and expertise to think about the implications of those purchase decisions in IT on how it might affect their security. A cash register that runs a version of Microsoft Windows, even if it is in some kind of kiosk mode, is still a perfectly valid infection vector, and who, after all, thinks of running antivirus software on a cash register?
That’s not the end of the story, however; these cash registers are usually networked, and often networked of either a back-end server locally, or in larger concerns, to a central server network at “head office”. All of this is usually connected, for convenience, via the public internet. Guess where the bad guys live? In 2010, according to some sources, greater than half of attacks (malware, hacking etc) resulting in financial loss of stolen customer data, were focused on organisations with less than 100 employees. Worse still, Visa Inc. estimates that about 95% of credit-card data breaches it discovers are involving its smallest business customers.
Not convinced of the issue? Read this story [Wall Street Journal, may require a subscription] about City Newsstand Inc, who didn’t make a single headline, but had their profits cut in half due to malware running on their cash register system depositing the credit card numbers of their customers onto servers in Russia. In the story, their owner is quoted as saying “Who would want to break into us?” And that thinking is part of the problem.
The simple truth is: if you process financial transactions, there are a lot of people who’d love to have that data, and it’s so much easier to get that data from small businesses, because their systems and networks are so much less secure than big businesses. If Sony and others (see here and here) can’t get it right, how the hell can a small business with no network admins and systems administrators?
And that’s the crux of the problem, so far, small businesses aren’t getting it right, and simply don’t have the resources to do so; but most without the knowledge of the liability they are open to if it all goes wrong. From the WSJ story above, you’ll note a few businesses that have gone bankrupt off the back of a hacking or exposure to malware on their infrastructure, and even when not going under, the cost of a hack or piece of errant malware can be in the tens of thousands of dollars to put right; to some companies, who are operating on wafer-thin margins during the downturn, that could be enough to push them over the edge.
So, what can you do about it?
Our ten step plan won’t stop the most determined of thieves and hackers, but it can help mitigate risks, alert you to problems and perhaps, just perhaps, keep you on the right side of PCI-SSC compliance, which might mitigate the expenses you have to pay if you get hit.
- Have this rule: If it’s a computer, it runs anti-malware (antivirus, anti-spyware [and anti-spam if emails comes into it]), it doesn’t matter if that computer is a cash register or your main accounting system.
- Use a dedicated firewall, hardware firewalls are often built into reasonably priced routers, so upgrade yours and keep the firmware and software (if any) updated.
- Run operating system updates daily, and patch systems when updates are available. The same for application software – most especially cash register products.
- If your computer doesn’t need to be connected directly to internet, consider not letting it be connected.
- Don’t put off updates; yes, they interrupt your business, do them anyway: they don’t interrupt your business more than going bankrupt because you got hacked.
- Audit: find out where your risks are – check if everything running on your network is supposed to be there, check they are all up-to-date, check they are all running security software.
- Audit: there are plenty of free “checking” tools that can tell you of any issues on a system – use them. Use them regularly.
- Change default passwords. If the login for a system was Username: Admin Password: Admin, it should be changed BEFORE any sensitive data is put on that system. This applies to computers, routers, firewalls, self-protection on antivirus software, web sites, ecommerce shop logins etc. The harder you make it for a thief or hacker, the more likely they are to move on and go elsewhere.
- Don’t use the same password for everything. Better yet, generate difficult passwords. Don’t write them down by the PC though, if you must, keep them encrypted in a password manager program.
- Don’t forget mobile devices, like your smartphones. If it connects to your network, it’s a risk.