You can’t defend yourself if you don’t know you’re being attacked. And most small business owners don’t realize that they are now the new target for cyber criminals.
According to a recent survey conducted by Visa and the National Cyber Security Alliance, more than 85 percent of small business owners believe their companies are less of a target for cybercrime than large companies.
That could explain why nearly half of the small business owners surveyed said they believe the high cost in both time and money to fully secure their business is not justified by the threat. Nearly half also said their employees received no training about network and mobile device security during the past year.
“The greatest threat to a company’s cyber security is complacency,” says Michael Kaiser, executive director of the National Cyber Security Alliance, who finds these results alarming. “You need to defend your business in the same way that you would lock your door at night and have physical security.”
Kaiser wants small business owners to realize they are very much a target because they have what the bad guys want: bank account information, employee lists, and customers’ credit and debit card account information.
“We’ve seen many cases now where by stealing the banking credentials of a small business, the cybercrooks have gone in and drained their bank account of $300,000 or $400,000 in one fell swoop,” Kaiser says.
Last October, authorities in the Ukraine arrested five people who they accused of using the Internet to steal $70 million from U.S. bank accounts. The FBI says their elaborate scheme, which used malicious software to capture account numbers and passwords, focused on small and medium-sized companies.
“You go after a small business because they’ve got the money and they are vulnerable,” explains Robert Vamosi, a security analyst at Javelin Strategy and Research. “They have all these assets that they move around, but they don’t have the IT staff or the tools that large corporations have to defend themselves.”
Cybercrime is bad for business
Seattle’s Broadway Grill is known for its “cheap food” and twice-a-day happy hour. Matthew Walsh, 27, bought the place last year. It’s his first restaurant and Walsh says he assumed the computer system was secure. So he focused all of his attention on his customers.
But the computer system did not meet industry security standards, something cyber criminals were able to exploit. On October 22, 2010, someone broke in to the computer system and stole the restaurant’s account information as well as the credit and debit card accounts of hundreds of customers.
“I was so stressed and so upset,” says Walsh, who contacted his bank and the authorities as soon as be realized there was a problem.
The hack attack made the local news. Some customers stayed away, afraid to use their cards there.
“I was really scared for the future of the business,” Walsh tells me. “This could have completely destroyed everything that I’ve worked so hard for my entire life.”
The U.S. Secret Service, which is handling this case, believes it was a professional hit done by someone overseas.
“There was an opening or vulnerability in the system that was exploited by the hacker,” says agency spokesman Bob Kierstead. “He or she was able to very quickly extract all the information needed.”
Those credit and debit card numbers were sold online to other thieves who put them on counterfeit or stolen cards and used them to buy things. No one has been arrested yet, but agents are optimistic they will locate the crook.
The Secret Service says most network intrusions like this take place at businesses that are not PCI compliant. That is, they don’t meet the Payment Card Industry standards for merchants who conduct credit or debit card transactions.
Kierstead says he does not believe the owner of the Broadway Grill knew he was not PCI compliant until the damage had been done. The restaurant is now fully secure.
Bob Russo, general manager of the Payment Card Industry Security Standards Council, says anyone who goes into business without worrying about security is planning to fail.
“It must be part of their DNA,” Russo says, “because the worst thing that can happen is a compromise. It can literally put you out of business.”
(Learn more about PCI standards)
How to secure your business
This list of best practices is based on my conversations with numerous cyber security experts. Any business that uses the Internet or does any online transactions should have:
- Good security software that is automatically patched and updated.
- The latest browsers (because they are more secure).
- Policies that stipulate how and when employees can access the Internet.
- Rules for employees who access the computer system from home or a mobile device.
“You also need to know how to use the tools available to you,” advises Randy Abrams, director of technical education with security software maker ESET. “Because having those tools and not knowing how to use them doesn’t help you out.”
ConsumerMan Tip: Pay attention to security news. StaySafeOnline is a good resource.
Can customers protect themselves?
Unless you only pay with cash, there isn’t much you can do to avoid being the victim of a data breach. There’s no way for you to know if a merchant’s computer system is secure. And size is not a reliable indicator of safety. Big companies get hacked, too.
The best you can do is look for signs of trouble by checking your bank and credit card statements regularly. Security experts say that means at least once a week. If you see any charges or withdrawals that don’t seem right, contact your bank or credit card company immediately.
And let me say this one more time – you have more anti-fraud protection when you pay with a credit card. If your account number falls into the wrong hands, you can challenge any fraudulent charges and you are not required to pay them until the credit card company investigates.
With a debit card, a crook can drain your bank account, leaving you without money until the bank verifies the problem and agrees to replace the funds. In my book, that’s a big difference.