October is National Cyber Security Awareness Month. Throughout the entire month, we will feature topics on our blog covering a variety of security concerns. In this first post, we will touch on four strategies to help merchants minimize cyber attacks.
First introduced by the Department of Homeland Security and the National Cyber Security Alliance in 2004, Cyber Security Month was designed to raise awareness of how we interact with and manage the “Internet of Things.”
Although this annual campaign has helped make payment security and data storage more secure, there’s still a lot more that needs to be done. In 2017 alone, we’ve witnessed two of the largest cyber attacks in recorded history – i.e., the WannaCry ransomware virus and the Equifax data breach.
If you read only the headlines, it’s easy to be lulled into a false sense of security. After all, most high-profile attacks seem to target major companies — but cyber security is a problem that affects all organizations of all sizes. In fact, smaller merchants often represent some of the easiest targets since they typically implement the fewest safeguards.
According to the Department of Homeland Security, nearly half of all small businesses have fallen victim to some type of cyber crime, with the average attack costing these merchants around $9,000 in losses.
This amount doesn’t necessarily include the many hidden costs associated with cyber crime, including:
- Time and money spent disputing fraudulent charges
- Fees, penalties and litigation that accompany cyber attacks
- Lost consumer confidence in your ability to safeguard payment data
Worse still, cyber crime will only increase as society moves more of its activity online. The Internet represents fertile ground for modern criminals since cyber attacks are:
- Remote. Thieves no longer have to live nearby to negatively impact your business. They can work from anywhere.
- Anonymous. It’s difficult to verify the authenticity of whomever you interact with online.
- Scalable. In the online world, stealing one credit card is almost as easy as stealing millions.
Against this backdrop, what steps can you take to protect yourself, your business and your customers? Below are four effective strategies to reduce the frequency and severity of cyber crime within your organization.
1. Invest in Secure Payment Processing
This is arguably the most important starting point. Although no single strategy can offer foolproof protection, the more secure your payment environment is, the less appealing your business is as a target.
Therefore, it pays to invest in:
- PCI-compliant payment processing with a reputable provider
- Tokenization, point-to-point encryption and fraud management filters
- SSL certificates (for online stores) and EMV terminals (for physical stores)
In addition, you should require extra verification steps for every transaction — both online and offline:
- For Internet sales, ask for billing addresses and CVV codes — in addition to the usual credit card numbers and expiration dates.
- For in-store sales, check the signature on the back of the card to make sure it’s filled out properly.
2. Protect Sensitive Data — After the Fact
The strategies above can help safeguard payment information, both at the point of sale and during transit. However, cyber crime often affects data that has already been captured and stored. This is precisely what happened with the Equifax data breach.
Common strategies for better data storage include using on-site encryption to make stored information unreadable for outsiders. You might also consider limiting access to customer information on a “need-to-know” basis among your employees, suppliers and vendors.
However, the most effective strategy is to limit the amount of data you store and capture in the first place.
For example, hosted payment pages allow you to safely “process” credit cards without this information ever entering your payment environment. With nothing to store, there’s nothing for thieves to steal.
3. Install Updates, Patches and Virus Protection
Outdated platforms often invite unwanted attention. The WannaCry ransomware virus, for example, exploited vulnerabilities in Windows XP — an operating system released nearly two decades ago.
Don’t make the same mistake.
- Make sure you have the latest hardware (e.g., EMV terminals instead of legacy readers).
- Install the latest updates and security patches for all the software your team uses.
- Invest in firewall protection and a reputable antivirus program (for every computer and mobile device).
4. Train Your Employees and Customers
Even with the aforementioned safeguards in place, cyber security isn’t automatic. You still need to talk to your employees about the importance of credit card theft protection and secure password generation. They should also learn how to properly store and manage information that enters your payment environment.
- With sufficient training, every member on your team can become a powerful ally in the fight against cyber crime.
- Without that training, however, your employees represent “weak points” that criminals will only be too happy to exploit.
The conversation can’t end there. You also need to educate your customers on how to protect their own data, especially when they interact with your business.
Your customers must understand:
- How to spot phishing emails, even those that are branded to look and feel like they’re coming from you.
- The importance of creating secure and unique alphanumeric passwords for every site they visit. Resources such as LastPass.com and KeePass are great tools for helping with this.
- That you’ll never request personal information from them via email or text. If they need to manage their accounts, they should log into your company’s website directly.
For additional tips on how to train your customers to spot cyber scams, be sure to check out this free infographic from StaySafeOnline.org.
Successful Cyber Security Is an Ongoing Process — Not a One-Time Event
There’s no doubt that the steps above will keep you, your business and your customers safer. But again, no strategy is 100 percent foolproof. This is because criminal tactics evolve over time. Safeguards that worked perfectly yesterday might not be enough to stop the cyber attacks of today … or tomorrow.
This is why protecting yourself is an ongoing process, and not a one-time fix. Although we officially recognize National Cyber Security Awareness Month every October, we should continue to “unofficially” celebrate this event throughout the year.