Two weeks ago at the CNP Expo in Florida I assembled a panel of specialists to tackle a topic near and dear to my heart: Big cybersecurity fixes for small cyber security budgets.
You see, a data breach for a small business can be debilitating. The costs aren’t just limited to the immediate theft or data loss but also include compromise to private intercompany communications and customers, vendor contract details, confidential business information and reputation, which all impact future income. It’s estimated that about half of companies are out of business within six months of a cyber breach.
Just as the internet allows businesses of all sizes and from any location to reach new and larger markets via ecommerce, cyber criminals can attack businesses of all sizes anywhere in the world. Furthermore, in today’s environment small enterprises are increasingly reliant on the 3rd-party services and an ever-increasing array of computing equipment in their operations. Both are under attack.
As one of my panelists, Charles Hoff, CEO and co-founder of PCI University, pointed out, “You read about Target and the other major breaches, but most breaches happen to small merchants. You are low-hanging fruit, because you are the most vulnerable and the least aware." In fact, more than 80% of breaches are estimated to occur at small merchants.
One of the topics our team of specialists focused on was how to secure the organization with limited resources. Since 90% of attacks are associated with weaknesses in basic remediation, such as firewalls, default passwords, VPNs and double authentication, the first priority is to not be an obvious target. Numerous stories of companies’ security passwords being “password” or the company’s name shows how a little extra effort can strengthen cyber defense.
Businesses that take payment data and customer information must ensure that they are PCI complaint. Many small businesses are still not there, which puts their customers’ data in jeopardy and opens the company up to sizeable fines from the associations and damages around a breach.
Doing a PCI audit goes a long way, and focusing on the latest standards such as PCI DSS 3.1, which addresses vulnerabilities from SSL and early TLS. If you have data at rest, ensure that it meets PCI so that if cyber criminals breach you, any data they find you will be useless to them. One could even look to outsourcing services to process and secure the financial transactions, so that they don’t touch your networks.
Once you have the fundamentals in place, start to investigate some of the new breakthrough alternatives that will best protect your business, and your pocket. Today’s innovations include analytics or machine learning, and devaluation of data. If you are a small merchant, look into P2PE or tokenization, which can be very cost effective at just $30-$50 per month.
Securing a business today with a very small budget is challenging, but ignoring cybersecurity is no longer an option.