The subject of cyber security has recently been on the front of everyone’s mind. When discussing cyber security, a broad range of topics need to be considered.
We’ve done so much over the last 5 years to transform from soda salesmen who only take cash to value added service providers who take whichever form of payment a customer wishes to use to purchase the products that they want to buy from our retail destinations.
Today we find ourselves in the middle of a red ocean where criminals are working 24/7 to profit from our own lack of knowledge on data security.
As our payment processing vendors work hard to stay ahead of cyber security threats, its time for all of us to get up to speed on the full circle of data security and how it impacts our business. Here are some key terms you may or may not be familiar with.
- DATA BREACHES are something we’ve all become familiar with as recently as we’ve been checking to see if we’ve been affected by the Equifax breach announced in 2017 that exposed the information of 143 million Americans.
- DENIAL OF SERVICE attacks, commonly referred to as DDOS are hackers overloading networks by making so many external requests to the network that accessing the network by verified users becomes impossible.
- We are all familiar with MALWARE on our computers and the inability to escape infinite pop ups on our screen. Recently, malware infected company servers for Intercontinental Hotels Group, sending travelers’ payment information to criminals. Malware also infected payment systems at certain Arby’s and Chipotle locations exposing payment information to criminals.
- PHISHING describes the process used to deceive users into providing sensitive information.
- RANSOMWARE is a malware that blocks access to systems and databases until a ransom is paid, usually in Bitcoin.
- SPOOFING is an e-mail that is doctored to look like it comes from a familiar source or well-known organization.
- SPYWARE is software secretly installed on a system without knowledge of the users.
- VIRUSES & WORMS are programs that infect a computer then replicate themselves throughout the network.
YOU are the target of Cyber Attacks!
Yes, this is intended to get your attention. Companies $5 – $150 million are the bread and butter for cyber criminals. Here are some of the reasons your company is a prime target. Any combination of these reasons adds you higher in the list.
- Your systems hold valuable information.
- Customer information and credit information.
- Employee/Personal information
- Banking transactions
- You manage thousands of unattended payments.
- Your company is able to pay a ransom!
- If your company’s databases were held ransom and you couldn’t fix it, could you pay $5000 to get it back?
- I know it stinks but many of the NAMA member operating companies have paid ransoms to retrieve their data. Some have paid more than once.
- You have a non-complex IT environment.
- Do you have a CIO (Chief Information Office) or a CSO (Chief Security Office)?
- Are your routers updated and managed for optimal security?
- Do you have local or cloud based servers?
- Are users keeping critical documents on local hard drives?
- Do you have data security policies?
- Do you even know where to start?
Cyber Criminals Feast on Simplicity
Our minds go directly to hackers in hooded sweatshirts or Russian spies when we think about cyber criminals. An employee who thinks they are being mistreated or has a criminal or financial issue may become the cyber-criminal. Think about how you store employee records and how someone with malicious intent could use that information to steal an identity and cause damage to a coworker or even use a client’s credit card # to cause damage.
91% of attacks begin with a phishing e-mail. It’s not mission impossible! WE ARE LETTING THEM IN!
30% of phishing e-mails are opened. 12% click on the infected link. Successful e-mail marketing campaigns for your business is 18-20% open rates and a 1-2% click through rate! Many of the famous data breaches and cyber attacks simply took advantage of improperly configured backups or data inadvertently stored in unsecured locations. UNC Healthcare breached the personal and medical information of women treated in their prenatal women’s clinic simply by placing the data in a publicly shared folder in an accessible location.
I previously stated, WE LET THEM IN!
Has anyone or should I say everyone received a spoof e-mail like this one from PayPal or Citibank or any number of organizations we trust with our personal and financial data?
At first pass it looks fairly believable.
When you click the link, that looks legit as well.
Don’t get mad when a team member clicks on a phishing spoof e-mail. Instead proactively and repeatedly educate your team and over-communicate the existence of these threats.
The evolution of cyber-crime is exponentially targeting IOT, the Internet of Things.
Do you know who has hundreds of thousands of IOT devices deployed? You do!
- Vending machines, Kiosks, Coffee Machines and more recently the thousands of DVR surveillance systems are all IOT devices.
- They will require your attention related to security threats.
You can prevent cyber-crime in your business.
- START NOW! Experts will tell you to devise a robust written data security plan. And you should! But let’s face it. If you wait for a robust written plan, you will likely experience an attack while you wait.
- You just need to do it! It’s like everything in life that requires effort for a seemingly intangible outcome. Exercise and healthy eating, investing for retirement, becoming and influencer on Snapchat. Just get started.
- NAMA recently published the NAMA Data Security Standards White Paper by Dr. Michael Kasavana and established the NAMA’s Data Security Task Force. Reach out to your NAMA representative for a copy of the white paper and more information.
- Stop sharing passwords and logins. It doesn’t matter if you’re not a computer guy. If you are responsible for your business, you need to be on board and held accountable as much as members of your team.
- In addition to reading the NAMA White Paper, I recommend you visit Krebs on Security Blog. Some of the articles will be over our heads and others will relate to our businesses. Following them on twitter or your favorite social media platform may be best so you can see the articles in your feed and choose which ones are relevant to your business.
- Change your passwords.
- 60% of people use the same passwords for everything according to informationsecuritybuzz.com.
- The 2017 Verizon Data Breach Report cites that 81% of hacking-related breaches leveraged either stolen and/or weak passwords, up from 63% reported in previous years.
- To make your passwords stronger, make them longer.
- Rely on and communicate with your payment systems vendors. They are investing in and working hard to ensure that you can confidently tell your customers that they are securely sending payment and sharing their data with you.
- Assign a data security lead similar to what many companies do with workplace safety. It does not necessarily have to be the IT guy, but someone who can discuss data security with IT, finance and operations and diligently hold meetings and research and report on the topic.
- Update & upgrade. Anytime your vendors require updates to payment systems, make sure you pay attention, especially if updates include security patches. Make sure your routers and switches are being managed by a professional and updated as required. If you know its time to upgrade, do it NOW! It will cost much less than a security breach.
- Consult a professional. Give your IT leader a budget to have an outside team audit your network and processes. Often, your IT team will lack exposure to the latest threats because they are focused on your business.
- Speak to a professional about moving your systems and files to a secure cloud service. There are options for all sizes of business.
- Understand the impact of connecting your kiosk, vending machine, printer or any other device to a customer provided network. Know how the foreign device will act on the customer network.
As our reliance on data continues to grow and our systems are a migration of local and cloud based systems, it is crucial that you make data security a key part of your business planning.
This is Security Week at Tech 2 Success. In addition to this article, we will explain how leveraging certain technologies and services will improve your business’ position against a cyber threat and get you started on your company’s data security plan.