CybersecurityCyber criminals target small businesses

Published 19 October 2012

A recent study conducted by the National Cyber Security Alliance and Symantec found that 77 percent of small business owners in the United States think their company is safe from cyber criminals; trouble is, 83 percent of them do not have a cyber security plan

Many people do not think of cyber criminals or hackers when they are on the Internet doing business or just browsing for fun. People who run small businesses think largely the same way.

A recent study conducted by the National Cyber Security Alliance and Symantec found that 77 percent of small business owners in the United States think their company is safe from cyber criminals. Trouble is, 83 percent of them do not have a cyber security plan.

BYTE reports that the main issue is that small businesses do not know what to do with critical information they have stored on their computer and mobile systems. Cyber threats on businesses can come from several places — the most popular being outside the organization from a hacker, or from within the organization when an employee or ex-employee steals data.

Ellen Richey, chief enterprise risk officer Visa Inc, said small businesses that conduct their transactions online with debit and credit cards, leave themselves exposed in more than one way. They could be at risk from thieves who are attempting to steal their information, or from a hacker who steals someone else’s identity or credit card and makes purchases with it.

Consumers can also be at risk, especially if they are using social networks to post information about themselves. Hackers are using social engineering more often as a way to get into a customer’s account, according to Richey.

We at Visa want to make security important to small businesses by getting data out of their system,” Richey told BYTE. “by moving to a dynamic data system. That way, even if a cyber criminal stole a card number, the person still couldn’t use it to commit fraud.

If we had that fully in place that would reduce the opportunity to commit fraud because small businesses wouldn’t have valuable data anymore. In the future, only the big aggregators of data — like Visa itself, will have vulnerable data.”

Richie offers five tips for establishing a cyber security policy (see also Visa’s Security Sense page)::

  • Not knowing what data you even have and where it is can put you at risk. Know the who, what, where, of your sensitive data and what kind of payment data you actually have, where it is, and who has access to it. This enables you to know where your risk is.
  • If you do not need the data, don’t keep it. Companies tend to store payment information on their laptop. They may even allow employees to access it on their own devices, which become more likely with the BYOD trend. However, there are cloud services available for payments and encryption. For instance, Visa is coming out with a way to store secure data, including a point-to-point service and tokenization service.
  • Outsourcing a secure solution provider can often introduce vulnerabilities. For instance, if a company hires a sales person from an outside company and that person comes in and installs the payment application on the computer system — and forgets to change the password. The most common mistake is leaving in place the default password. The problem usually occurs because the companies have outsourced the project to a reseller. It is not clear who is responsible for changing the password.
  • Use secure devices and applications when accepting payments — Visa maintains a list of those gadgets on its web site. Small business owners can go and look and see what meets the standard. There are compromised applications that they should avoid still in the market place, so it’s better to be aware of the risks instead of being ignorant to them.
  • For payments specifically, there are certain tools that small business owners could use for verification, which include the code on the back of the credit card, address verification, or even install a physical space upgrade to EMV chip technology that will allow consumers to pay with smart cards.

In addition to education and awareness, technology can help close the gap in security and payment systems. For example, Mastercard and Intel recently announced that it is implementing PayPass, a near field communication technology in their Ultrabooks, allowing users to make online payments by tapping a card or their phone on their Ultrabook. Facebook, which has been conducting transactions online for years, has a system that allows you to use two separate forms of identification.

The methods for small businesses to protect themselves are out there, but small business owners must become aware of them or face the threat of having their systems hacked and losing important information, losing their customers information, or having their information put on the internet.