Today I came across an article published on the Digital transactions. The overall focus on the article was about how small, level 4, merchants are still lagging behind when it comes to PCI compliance and conducting risk assessments in their organizations.
As I was reading the article the thought popped into my head that for many small businesses cyber attacks and data breaches should be approached much like preparing for any emergency or natural disaster.
Those that usually get impacted the worst when a natural disaster hits are those that think it won't happen to them or refuse to heed the warnings that are given. Sometimes there is nothing you can do to avoid the situation, but you can always be prepared. In the case of a natural disaster, you can make sure you are covered by insurance, have food storage and cash on hand and set aside to carry you through the ordeal. Sensible emergency preparedness is feasible for just about everyone.
The same holds for businesses, especially small business owners. The warning signs are out there. The threat of a cyber attack and a data breach is real. It is crucial that small business owners start to take them seriously and prepare for the emergency. In the Digital Transactions article it says:
Small-merchant vulnerability to card-data breaches is a rising concern because hackers target these businesses on the theory that they are less likely to have protected their data. Some 95% of all credit card data breaches, in fact, involve customers of small businesses, according to Visa Inc. data.
Based on Visa data 95% of breaches involve small businesses. That is a very high percentage. The situation gets worse when the article addresses how many merchants actually think its an issue.
Yet 71% of small merchants see themselves as at little to no risk of a compromise...That’s down from 79% last year and 82% in 2011, but still much too high.
That is a lot of unsuspecting and unprepared businesses. I always say "Emergeny preparedness is one of those things you hope you never have to use, but would hate to be caught without it." Many owners don't think "Hacker Preparedness" is neccesary because they just aren't big enough to be a target. In many cases small business owners have the most to lose. The article states:
The risk is especially poignant for those businesses that go unprotected and sustain a data breach. Just 5% of respondents said they had suffered a breach, but of these victims, half said the impact had been either “medium” or “high,” with “high” meaning the compromise had nearly forced them to close. The consequences were most dire for businesses with 11 to 50 employees.
When you consider the fines, forensic investigations, data breach remediation, and stricter PCI requirements that come with a data breach, its no surprise many small businesses can't survive the crisis. In the long run it is cheaper to prepare your business for a cyber attack and other possible threats.
To prepare, you first need to identify the potential threat, then design controls that will mitigate the threat, and finally prioritize those controls and implement them over time as your time and budget allow. Becoming prepared does take time and resources. To protect yourself, and your business from, a potential disaster you need to dedicate time and money.
To wrap this up, here is a list of top cyber preparedness items I would recommend to get you started on protecting your business:
- Sign up for a Breach Protection Plan - These plans offer financial compensation to help cover your costs in the event of a data breach.
- Scan & Monitor your Network for Vulnerabilities - Take a proactive approach to security. Scans and Monitoring will help identify potential weaknesses before hackers have a chance to exploit them.
- Keep Systems & Applications Up-To-Date - This is one of the most effective things you can do, and it usually doesn't cost anything but time. Operating systems and applications should be kept current. Same goes for POS systems (the most critical). Plan for required upgrades, so you don't end up with a vulnerble POS system.
- Don't Treat PCI Compliance as a Check Box - The PCI DSS is a good security standard when you really take the time and understand its goal and follow its guidelines. Really evaluating your business practices against the PCI DSS requirements will identify weaknesses and help to elevate your business' security posture.
Hope you found this helpful. I don't mean to put the fear in you, but I wanted to make you aware of the real threats that are out there and help you prepare for what might happen. The worst thing you could do is nothing. If you don't know how to get started their are people, like us - Aeris Secure, out there that are happy to get you pointed in the right direction.