SMB Data Breach Fallout
For any organization a data breach is a disruptive experience. Besides the distraction from daily operations, and unwanted publicity, a data breach brings a huge financial burden as well. Most large businesses have the resources to weather the storm, but many small and mid size businesses aren't as fortunate. Most SMBs don't have the capital or technical talent on staff to properly respond to a data security breach. Given that 71% of data breaches target small businesses, I thought it would be beneficial to discuss the fallout of a security breach and the impact it could have to a small business.
I Have Vulnerabilities On My LAN. So What?!
During the course of my penetration testing engagements (where I pretend I'm a malicious user and attempt to do naughty things on the network), I usually see or detect many vulnerabilities that are typically not found on the public internet. These vulnerabilities range from a small information disclosure (yawn) to full remote code execution (OH YES!) and of course everything in between. As a good security professional, my recommendations are to fix every single vulnerability found. This would exclude vulns that exist due to a specific business need, such as legacy systems or applications, or other legitimate reasons. When I suggest that we fix all of them, I often receive pushback from IT staff and sometimes even the stakeholders.
Cyber Attacks & Emergency Preparedness
Today I came across an article published on the Digital transactions. The overall focus on the article was about how small, level 4, merchants are still lagging behind when it comes to PCI compliance and conducting risk assessments in their organizations.
Data Breach Statistics
While doing a little research, I came across some interesting statistics about data breaches. I just wanted to share them along with some of my thoughts.
Self-Assessment Questionnaire C-VT Explained
With the newest version of the PCI DSS came a new SAQ type - SAQ C-VT. This particular SAQ form is geared toward a special branch of merchant. Even though SAQ C-VT qualifying merchants use the Internet to process credit card data, they do it in such a way that most of the responsibility of security is off-loaded to a third party. In order to qualify for SAQ C-VT, merchants must use a third party virtual terminal to process all credit card transactions.