While I was reviewing information regarding a couple of small businesses that suffered losses from computer savvy criminals, I read a quote from one of the business owners who said, “ Who would want to break into us?” This is the sentiment of many small and medium-sized business owners I have dealt with over the years. Unfortunately, these losses confirm what I have always said about small business security—you are never too small to be a target!
It Would Never Happen To Us
Businesses, in general, and small business owners, in particular, need to get past the mindset that crime can never happen to them. Cyber criminals are going beyond just large corporations and looking for easy targets, and small businesses are one of those targets because they are becoming digitally oriented. This means that they are computerized and store digital information such as customer information and credit card transactions. Also, small businesses usually have fewer resources including available money and technical expertise with which to make themselves electronically secure. In 2010, Verizon’s forensic unit investigated 761 data breaches. Of those, 63 percent of them were at businesses with less than 100 employees.
How It’s Done
The fact of the matter is that there are numerous types of security threats to businesses which makes them harder to defend against. Cyber criminals scan the internet using a variety of tools looking for computer systems that have known vulnerabilities, have default user names and passwords, are not securely configured, and a variety of other issues. Most of the time it does not take long to find vulnerabilities with the number of high speed internet connections that businesses and private individuals now have access to.
The threat to POS (Point of Sale) systems in retail businesses cannot be overlooked. Of the two businesses noted in the article I read, one had their POS software running on a system that was connected directly to the internet. The owner regularly updated the system as well as the POS software, but that did not stop the attack which infected the system with malware. The owner also used remote access software so that he could access the system if needed when he was not at his place of business. Anyone that had the password could gain access to the system, and since the owner had picked a weak password, it did not take cyber criminals long to penetrate it.
Security Tips
The cost of a data breach can put a company out of business, not only from the fraud but from the cost of responding and the potential lawsuits that usually follow. In addition, business merchant accounts may be discontinued after a data breach. Without the ability to accept credit cards, many businesses would be forced to close. The following recommendations can help businesses secure their computer systems.
I do not recommend the use of remote access software because of the security risks involved in their use. If remote access software is required for a certain type of business, though, I would recommend an investment in a remote access appliance that can setup VPN connections to the business. The default passwords on these types of devices need to be changed to a secure password, one not easily broken by a cyber criminal.
Also, be aware of the ways that malware can infect computer systems. Be careful what is downloaded and from where it is coming. This includes software, videos, Ebooks, pictures, and other related material. Malware can also come from websites that are visited even without interaction with the site. Simply going to the wrong site can result in a system becoming infected. Also, be careful what email attachments are opened and what links are used in an email. Both can result in a malware infection.
For POS systems, it is best, if possible, not to allow access to the internet with the POS software. The POS software will need to be able transmit the customer’s credit card data, but the POS system should not have access to the internet other than for this one purpose.
Lastly, look at the PCI security guidelines put out by the Payment Card Industry Security Standards Council. These guidelines provide guidance to small business owner for a variety of technical security measures and are required for those businesses that accept credit cards.
Small business need to get rid of the mindset that they are too small to be attacked or targeted by cyber criminals. They are just fooling themselves. There are numerous small businesses that thought the same thing until a data breach occurred, and it was too late to do anything. Security improvements always cost more time and money when done after the fact. Please leave a comment, and let everyone know your experiences regarding data breaches and small businesses.
Ron Pauls says
I’m a two person small business owner and have been attacked. No one is exempt. These bad people will crash your system just for fun. Be aware and be secure.