The National Small Business Association polled 675 small businesses to find out how many had become victims of a cyber attack during the past 12 months. The answer was that almost half had experienced a breach, up from 44 percent in the prior year of 2013. And of those who reported being hacked last year, 68 percent said they had been victimized by cyber criminals more than once.
Breaches at large organizations often grab headlines, but retailers and restaurants are more vulnerable to attack because criminals know that many of these companies do not have adequate preventative measures in place. So far in 2015, approximately 80 percent of all cyber attacks have targeted small business, and that number is growing. The mitigation costs of an attack for a small business can be significant. While large businesses spend hundreds of millions of dollars recovering from an attack, most have the resources to do it, and in time, the breach is just a dent in an otherwise intact superstructure. Small businesses aren’t so lucky. According to the National Cyber Security Alliance, some 60 percent of hacked small businesses go out of business within six months of an attack.
What’s critical for SMBs to understand is that every business – even small businesses–are worthwhile and valuable targets to hackers. Therefore, it’s a business imperative to ensure that layered security measures are in place to protect against cyber threats.
Here are six common mistakes that lead to small business credit card breaches:
1. Failure to protect incoming Internet traffic
The first step in stealing data is finding an avenue into the targeted business. All of a business’ data circuits and its Internet connections must be protected by a robust and adaptable firewall; protecting the business from unwanted incoming traffic.
2. Lack of control over outbound Internet traffic
In addition to blocking unwanted traffic from getting into a location, it is always a good practice to selectively block outgoing traffic as well. Many modern breaches involve software that becomes resident on the network and then tries to send sensitive data to the hacker’s system via the Internet. No system can completely prevent unwanted malware or viruses, so a good last line of defense is making sure secure data doesn’t leave the network without the network administrator’s knowledge. The same firewall mentioned above should be configured to monitor outgoing traffic as well as incoming.
3. Failure to adequately protect on-premise Wi-Fi
As people and devices are more connected to the Internet, customers will expect that they will have access to wireless communication while they are in your business. However, wireless networks can potentially expose sensitive data from your systems, especially if you are using wireless in a retail environment. A security strategy is needed to configure devices to meet operational goals, but also protect the business at the same time.
4. Failure to use 2-factor authentication
When permitting remote access to a network, it is essential that this access is restricted and secure. At a minimum, access should only be granted to individual (not shared) user accounts using 2-factor authentication and strong credentials. Remote access activities should also be logged so that an audit trail is available.
5. Not updating anti-malware software
It is critical to keep all anti-virus/anti-malware software up to date with the latest versions and definitions. The companies that make anti-malware software monitor threats constantly and regularly update their packages to include preventive measures and improvements to thwart malware seen in other attacks.
6. Failure to patch all operating systems as security enhancements are released
Much like anti-virus/anti-malware updates, designers of operating systems are constantly improving their software to prevent hackers from stealing data, especially if a criminal manages to bypass the built-in security. It is essential that the latest security releases and patches be installed on all systems.
In almost every breach over the last 24 months, businesses failed to incorporate at least one of these measures. Small business owners, franchisors and franchisees are aware that they must protect against cyber threats while maintaining compliance with credit card industry regulations, and managing the network and Wi-Fi access, but the key really is being aware of how to secure their environments. It would be irresponsible to ignore the problem or pretend that a payment system or credit card breach could never happen to them. Proper management of security and consistent maintenance should be the goal of any security program. Taking the appropriate steps today will help small business owners avoid joining the ever-increasing list of businesses that are in the headlines each week.
Kevin Watson is c.e.o. of Netsurion, providers of data security and computer network management services for multi-location businesses.