Cybersecurity is Everyone’s Business
Cyber-attacks are not only against large targets like Macy’s Whole Foods and Under Armour, to mention just a few. But hackers are targeting smaller businesses as well. According to the third Hiscox Cyber Readiness Report, the number of small businesses reporting a cyber incident rose from 45% in 2018 to 61% in 2019.
And the costs are staggering, that the average cyber-attack cost $2 million and, in some cases, forces the shutdown of the business.
Why It Matters Today
While businesses are adopting more sophisticated software and hardware solutions, technology alone is not enough. Frequently, it is a good-intentioned employee who makes a mistake, falls victim to an email, or skirts safe IT practices because they are rushed for time or were not even aware of the safe practice in the first place.
Negligent employees, contractors, and even third-party vendors represent over half of all breaches.
It all Starts with Someone
Your employees need to aware of their role in preventing cyber-attacks. Training should include:
- what phishing and other malicious emails look like and taught not to click on them
- how to set strong passwords with alphanumeric elements
- the need to change their passwords regularly
- And, the importance of keeping operating systems and browsers up-to-date. The recent Chrome flaw is a great example
This training cannot be a once and done but needs to refreshed consistently. The U.S. Small Business Administration has developed cyber-security training for small businesses, available here.
What’s Your Cyber Security Policy?
On occasion, a business might have a disgruntled employee or seasonal staff. As a business owner, you need to protect your business with a well thought out cybersecurity policy. Start by asking yourself questions like:
- Does your business have a policy that restricts access to specific data to employees with the right or need to know?
- When it comes to cardholder data, how is that data recorded and stored? Who has access to it, and why?
A template you can follow is here
If you currently or want to accept cards for payment, you have signed or will be required to sign a merchant agreement. Your merchant agreement requires you to follow PCI security practices to remain compliant and to continue to accept credit and debit cards for payment. You can find an overview of PCI standards here
PCI security standards state the business must “implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.”
PCI security training should include:
- how to identify “skimming” or other unauthorized devices on POS terminals what to look for on credit cards,
- how to handle information given over the phone properly,
- how to respond if a card is declined
- and the need to keep credit card receipts in a secured locked area.
An excellent beginning point for PCI compliance and an excellent resource for building an employee training program can is here.
What is Connected to Your Network?
The number of devices connected to WIFI continues to multiply. As convenient and useful as these devices are, they are exploited by hackers. Thermostats, printers, scanners, security systems, and other devices are often left untouched for extended periods. Manufacturers might have issued a security patch, but unless the firmware is updated, these devices can pose a risk.
Here are some specific recommendations on How to Protect your Business from the Internet by the PCI Security Standards Council:
ISOLATE USAGE. Don’t use the device or system you take
payments with for anything else. For example, don’t surf the web or check emails or social media from the same device or computer
that you use for payment transactions. When necessary for business (for example, updating your business’s social media page), use
another computer and not your payment device for these updates.
PROTECT YOUR “VIRTUAL TERMINAL.” If you enter customer payments via a virtual terminal (a web page you access with a
computer or a tablet), minimize your risk – don’t attach an external card reader to it.
PROTECT WI-FI. If your shop offers free Wi-Fi for your customers, make sure you use another network for your payment system (this is
called “network segmentation”). Ask your network installer for help with safely configuring Wi-Fi.
USE A FIREWALL. A properly configured firewall acts as a buffer to keep hackers and malicious software from getting access to your
payment systems, your e-commerce website, and/or your card data. Check with your payment terminal vendor or service provider
to make sure you have one and ask them for help configuring it correctly.
USE PERSONAL FIREWALL SOFTWARE OR EQUIVALENT when payment systems are not protected by your business firewall (for example, when connected to public Wi-Fi).
Finally, one additional risk is outdated terminals. Not only can these terminals become a security threat due to old firmware, just using this data equipment can open your business up to other liability risks. With the advent of EMV, beginning in October 2017, the liability for lost card or fraudulent card transactions shifts to the merchant if their POS equipment is not EMV compliant.
There is Help
The online resources of the Small Business Administration and other organizations make it easier to identify threats and train your employees. Don’t overlook your payment processing company; cutting edge payment processing platforms can help mitigate risk and help you remain PCI and card network rules compliant.
IntelliPay’s experienced sales and intelligent payment platform can help you not only remain PCI compliant but help you improve the financial performance of your business and improve your bottom line.