Elite hacker entering a room in turquoise

By Tamara Worden

Cybersecurity is one of the biggest threats faced by small businesses.  And yet, it’s often ignored by small business owners.

“My business is too small to be targeted by hackers” is a common refrain, but it couldn’t be further from the truth.  The major banks and retailers may get the bulk of the attention when a cyber-breach occurs, but small businesses are most definitely in the crosshairs of cybercriminals.  As a matter of fact, the U.S. Small Business Administration reported that half of small and medium-sized businesses surveyed were the target of a cyberattack in 2015.

The alarming truth is, many small businesses are easy targets for cyber-criminals because owners don’t prioritize cybersecurity, or think that they don’t have the resources to ensure security.  Making matters worse, small businesses also lack the deep pockets of larger companies, which limits their ability to recover from a cyber-issue.  It has been estimated that half of small and mid-sized businesses that suffer a cyberattack go out of business within six months.

It’s a vicious cycle that can – and must – be fixed.  With proper attention and some guidance in three critical areas, small business owners can shore up their defenses to dramatically reduce their cybersecurity risks, while also maximizing their chances to successfully recover should they fall victim to a cyber-event.

Securing Payments Equipment and Networks

All equipment that is connected to the Internet must be protected from cyber-intrusions, but payment systems should be the first priority for any business that uses them.  These systems obviously contain highly sensitive financial data, both for the business and its customers and partners, making them a primary target for cyber-criminals.  They are also specialized, requiring specific attention from the business owner to ensure that systems are updated to the latest security technologies.

Unfortunately, point-of-sale (POS) payment systems are also an area where some small business owners look to save money by using older equipment.  More often than not, this equipment is either incapable of delivering the latest security protections, or is not updated to provide full security.  While these older systems are commonly found at online auction sites and offline auctions and sales, they can present a significant risk for those who don’t know what to look for in POS security.

Whether you’re looking to evaluate the security of an existing payments system or considering a POS upgrade, you should start with the Payment Card Industry Data Security Standards (PCI DSS).  These standards, created by the major card-issuing companies, include some common security precautions that make sense for all connected equipment, such as maintaining updated antivirus software and installing a firewall to protect business networks and customer financial data, as well as more complex payments-specific requirements, such as ensuring encryption of payments data and maintaining secure payment systems applications.

Beyond equipment and networks, data storage is a key security risk that is often overlooked.  Business owners should ensure that they are not storing sensitive customer payment information in their payments system or anywhere else in their business networks, unless there is a clear business need.  Outdated or incorrectly configured payments systems can sometimes store information without the knowledge of business owners, creating a significant and needless security risk.

If online information and assessment tools aren’t enough for business owners confirm the security of their POS equipment and supporting network, it’s well worth consulting with a security professional to evaluate security risks.  A well-equipped payment processor will offer a comprehensive PCI DSS merchant compliance program to all of their merchant customers, utilizing some of the highest-rated certified security consulting companies listed on the PCI SSC website.

The Human Factor

It’s shocking, but far too many small businesses are making it easy for the bad guys by not addressing the simplest and most important security safeguard:  strong passwords.  A recent study from Verizon estimates that 63 percent of data breaches take advantage of weak or default passwords.  A strong password should include at least 12 characters, both upper- and lower-case, as well as numbers and special characters.  All equipment and every employee at every business should be armed with a strong password that meets these guidelines.

The widespread lack of strong password usage reflects a bigger need for many small business owners, the creation of a formal security policy.  Every business owner should consider at least a simple security policy that ensures that all employees follow basic guidelines, such as:

  • Password requirements, including the need for strong passwords, avoiding sharing of passwords, etc.
  • Restriction of access to payments and other sensitive customer information to only those employees with a clear need for access.
  • Protection of any stored customer financial data.
  • The need to lock down terminals and workstations when not in use.
  • Authorized and secure processes for sharing financial and other data.
  • Clear instructions for reporting of suspicious activity, either online or within the business.

Work for the Best, Prepare for the Worst

Ensuring that both equipment and employee practices are optimized will maximize your small business’ security against cyber-threats.  Even with that, it’s prudent to develop a plan for dealing with a cyber-breach if and when a situation does occur.

A cybersecurity response plan will most often have three primary areas of focus:

  • How will the business identify and fix the source of a breach?  Does the business have a trusted online security resource or consultant identified and ready to assist with these efforts?
  • Who will need to know about the situation, and how will you communicate with these audiences?
  • What are the legal consequences of a cyber-breach for the business?  Is in-house or outside legal counsel available to quickly assist if a situation occurs?

An effective plan for dealing with a cybersecurity issue is your last line of defense, helping to minimize the impact of a situation on your customers and your business.

By focusing in these three areas, small business owners can remove themselves from the roster of easy targets for cyber-criminals, and ensure that their businesses are positioned to thrive in a world where online threats are persistent.

Tamara Worden is an original employee of Sterling Payment Technologies, starting in February 2001, and currently serves as Senior Director of Card Brand Compliance, managing Compliance, Payment Relations and PCI DDS departments at Sterling.  She has more than 21 years of experience in the payments industry in a variety of management roles, including Project Management, Application Processing, Training, Quality Assurance, Retention, Terminal Leasing and Portfolio Management.  Tamara is an ETA Certified Payment Professional.