Yet more data breaches in the news. This month’s data breaches included Home Depot, Dairy Queen, ATT, Staples and possibly your business.
We seem to learn daily about another business that suffered a data breach and lost millions of credit card records. Small businesses need to be aware of this rising business risk.
A recent study by the security company Damballa found that the “Backoff” malware (used in the Target and other recent breaches) has infected businesses of all sizes. According to an advisory issued in August from the Department of Homeland Security/U.S. Secret Service, they estimated that over 1,000 merchants are affected. Damballa’s study says the increase from August to September was 57%.
The black market for stolen data is immense. There are global companies that deal in stolen data and make big money from it. These criminals use websites, special offers, and targeted marketing to sell their products – just like legitimate businesses. The “source” their products – stolen data – from companies your size as well as large companies.
Several myths exiting in the small business space about small businesses’ lack of vulnerability. Here are a few of them:
Myth 1: Hackers don’t want to bother with small businesses like mine because we don’t have enough credit card transactions.
Not true. Small businesses just don’t have the media coverage. Data breaches have occurred with the thieves stealing only a few hundred credit card records.
Myth 2: My business doesn’t use POS so I am safe.
Not true. If you take credit card payments and you transmit the data electronically, you can be hacked.
Myth 3: I take credit cards but the responsibility is on the credit card companies, not my business.
Not true. You are responsible if the breach occurs with your system, including transmitting the data or storing the data on your system.
What you can do
As with any other business risk, you can take steps to mitigate the risk. Here are some basic tips:
- Work with your payment processor to use the safest data transaction method.
- You may need to upgrade your merchant terminal or add defenses to your network.
- Make sure if you retain any card numbers and account information, you encrypt the files.
- Only allow “need to know” staff access to the data.
- Place your processing system behind a firewall.
- Guard your customers’ numbers as if it was your own number. Don’t rsk your reputation and incur data breach recovery expenses by being careless.
Any business that accepts credit cards must comply with Payment Card Industry Data Security Standard (PCI DSS). A recent study indicates that only about a third of merchants understand the standard. If you want to learn more, check out their website. You might want to check out this guide for non-technical business people about secure credit card processing from the New York State Office of Cyber Security.