Threat Level 2: Why small businesses can't afford to sleep on cybersecurity

Carol “Orange” Schroeder, the proprietor and co-owner of Madison’s venerable Orange Tree Imports, doesn’t spend her workdays defending the ramparts against the relentless incursions of cyber criminals. No offense to the Monroe Street specialty retailer, but it isn’t exactly a big score.

Indeed, Schroeder acknowledges as much.

“Obviously, no one in the larger scheme of illegal activity is going to say, ‘Today I’m going to devote my entire day to trying to target Orange Tree Imports,’” said Schroeder.

That said, Schroeder isn’t exactly breathing easy when it comes to facing the kinds of security threats that were little more than a sci-fi scribbler’s fever dream when Orange Tree Imports first opened its doors nearly 40 years ago.

“None of us felt cocky when Target or other big businesses had credit card problems because we realize that with the state of the Internet and security, anything’s possible,” said Schroeder. “We could conceivably have something happen to us next, because I’m sure those businesses weren’t concerned about security either. I don’t have any specific concerns, but who’s to know what’s possible in the future?”

Needless to say, the world of retail — and that of small businesses in general — is a radically different one than Schroeder faced in 1975 when she was a novice shopkeeper. While big-box retailers like Target represent the fabled great white whale to many cyber crooks, danger lurks around every corner for little fishes like Orange Tree Imports as well — and keeping up with both the vulnerabilities and the fixes can be an ordeal for small businesses, which typically have just a fraction of the resources of their larger corporate counterparts. And make no mistake about it, failing to keep up can ultimately be crippling.

A March survey by Newtek Business Services found that 67% of independent business owners were not concerned about credit card security at their businesses. That’s a fairly alarming finding, particularly considering that the survey was taken in the wake of Target’s and Neiman Marcus’ high-profile data breaches, which sent the broader retail sector reeling.
But it may also result from the fact that small retailers generally outsource their payment card functions. For her part, Schroeder relies on Wind River Financial, a local credit card processing company, which she trusts implicitly.

“We do everything we can to protect our customers’ data, and we’re with a locally owned company that we feel is quite reputable and is taking steps to make sure that their security is up to date,” said Schroeder, “but you don’t want to feel that you’re immune to it, obviously, because it could happen to small retailers.”

But while outside help is readily available to small business owners, whose in-house security expertise is generally negligible or non-existent, they can’t afford to close their eyes and stumble through a wilderness that’s getting more and more dangerous, seemingly by the day.

Even if the Target and Neiman Marcus hackers aren’t lining up to breach your small business’s virtual walls, there are plenty of things to keep in mind and be aware of.

A better credit card

The first, and most obvious, step in staying secure is choosing the right payment card processor.

While retailers often shop around to get the most favorable rates, finding a processor that’s dotting all its i’s and crossing its t’s with respect to security has never been more urgent.
Avery Buffington, an information security architect with SecureNet, a national direct payment processor, notes that retailers should check for eight key security features when considering a processing company.

They include:

1. Vaulting, which allows retailers to set up recurring payments and removes the obligation of securing credit card data themselves
2. Tokenization, which uses a code to represent a credit card number, lowering the risk of fraud
3. Point-to-point encryption, which allows retailers to transmit an encrypted version of data to their payment processor
4. Encrypted mobile hardware, which offers protection against malicious mobile applications that could try to access card data
5. Compliance with the payment card industry’s (PCI) security standards (more on this later)
6. Fraud protection, including “sophisticated analyses of behavioral profiling”
7. Omnichannel security, which allows providers to protect information across mobile, in-store, and online channels
8. EMV (Europay, Mastercard, and Visa) — also known as chip-and-PIN technology — which replaces the standard magnetic stripe credit card, which is much easier to clone

With regard to the last item, there is help on the way — whether retailers want it or not.

Chip-and-PIN technology, which adds two layers of security by embedding chips in payment cards and requiring users to punch in a PIN number before making purchases, is set to become the industry standard by October 2015. That’s great news for both retailers and consumers, but many retailers appear not to feel the urgency about security that some observers think they should.

The same Newtek survey that found independent business owners were largely unconcerned about credit card security revealed that 63% weren’t even aware of EMV technology, which is already in widespread use in Europe.

For the National Retail Federation (NRF), which sees retailers’ and consumers’ vulnerabilities as more of a hair-on-fire type of situation than many of its members appear to, that blasé approach to security simply doesn’t fly. As the world’s largest retail trade association, the NRF has been urging a transition away from the traditional magnetic stripe-and-signature system (which relies on outdated 1960s technology) to modern chip-and-PIN systems.

In April, Tom Litchford, the NRF’s vice president for retail technologies, testified before the House Homeland Security Committee on Cybersecurity, saying that it’s past time for U.S. retailers to adopt chip-and-PIN.

“Chip-and-PIN technology dramatically reduces the value of any stolen breached data for in-store purchases because the payment card data is essentially rendered worthless to criminals,” said Litchford. “The failure of U.S. card networks and banks to adopt such a system in the United States is one reason why cyberattacks on brick-and-mortar retailers have increased.”

The downside? Chip-and-PIN could eventually end up costing smaller retailers, particularly if they’re not up to speed by the October 2015 deadline Visa and MasterCard have given merchants for installing EMV systems. For one thing, the cost of installing a new system is not negligible. Retailers across the country are expected to spend billions of dollars on the new systems, and small retailers can count on shelling out between several hundred dollars and $2,000 each for the card readers.

But the costs of failing to install an EMV system could end up being even steeper. Starting in October 2015, retailers that accept EMV-compliant cards and process them through a non-compliant machine will be liable for any fraudulent transactions.

(Continued)

For Schroeder, whose shop is now equipped to take EMV cards but hasn’t yet installed PIN pads to go with them, updating the equipment has presented challenges.

“We have two checkout areas, so we have two terminals, and that’s not inexpensive equipment,” said Schroeder. “And it’s not just the cost of the equipment, but also the reconfiguration of your checkout area to accommodate that, so it’s kind of a pain.”

But while chip-and-PIN is widely considered a superior and safer technology, it’s hardly a panacea. “If you build it, they will come” has a perverse counterpart in the IT world: If you make it more secure, someone will inevitably figure out how to break it down.

“If you’re not careful or you don’t follow basic security practices, then you’re more vulnerable, but to me, it’s kind of like the deadbolt on the back door of your house,” said Rob McCalla, a lecturer in the Department of Consumer Sciences at UW-Madison. “It will kind of keep out the casual crooks, but the serious ones get in no matter what, and I think even in chip-and-PIN technology, what I’ve read about it, there’s still vulnerability. So it will be good to have it because it will take care of most of the problem, but ultimately it’s just one part of the picture.”

Up to standard?

Beyond updating their terminals, retailers are also required to comply with the latest credit card transaction standards, which went into effect on Jan. 1.

Many of the standards are a reissue of past Payment Card Industry Data Security Standard (PCI DSS) guidelines, but several are new this year.

“Probably for the typical business in Madison, the biggest change is with regard to protecting the credit card terminals themselves from physical tampering,” said Douglas Berry, principal-in-charge of assurance services with SVA Certified Public Accountants in Madison. “When people think of the credit card merchant, they usually think of Target and Walmart and the big-box retailers, but they forget that the restaurant, their doctor’s office, the accountant, the food truck, the taxicab, all of these people are accepting credit cards, and so if you’re a company that has a whole bunch of these terminals dispersed geographically, that can be a bit of a challenge because the new standard says that you have to protect these. You have to have an inventory of them and you have to perform periodic inspections of them.”

According to Berry, protecting card terminals themselves from physical tampering is key to protecting data in the post-Target-breach epoch, and the new PCI DSS standards are addressing that.

“You should be doing things like checking serial numbers, checking for physical tampering,” said Berry. “You have systems in place to have your employees aware of what to do for security, and so that’s a big change. … But especially around the holidays, that’s probably the easiest way that fraud will happen, is that someone actually tampers with [your] credit card machine.”

For a so-called Level 1 merchant that does more than 6 million transactions per year, the cost of complying with the new standards is high, ranging from $50,000 to $1.5 million, but smaller retailers can perform a self-assessment to affirm they’re in compliance. Many retailers will go to firms like SVA for assistance in completing the self-assessment, and that can incur a cost. But according to Berry, the costs of noncompliance can be even steeper — and it’s important for any businesses that take credit cards to pay attention to the new standards and know that they have only until the end of 2014 to ensure compliance.

“I think your larger retailers are definitely aware of what they need to do,” said Berry. “The concern is that the local restaurants and the doctor’s office and things like that aren’t paying attention to this. …
“A breach [of the PCI DSS] can result in a pretty huge fine, like up to half a million dollars per incident. Or worse, you lose your ability to take credit cards, which in this day and age for some merchants may be the death knell.”

Staying informed

For those who might think measures to ensure payment card security consist of a bit too much bitter castor oil and too little treacle, the NRF is offering a somewhat sweeter antidote — one that won’t be so hard for retailers to swallow.

In April, the NRF announced it was moving forward with a program that will provide retailers real-time information on cybersecurity threats reported by other retailers, government and law enforcement agencies, and the financial services sector.

Developed in conjunction with the Financial Services Information Sharing and Analysis Center (FS-ISAC), the system is expected to be established this month.

“We believe a heightened and well-coordinated information-sharing platform … is a vital component for helping retailers in their fight against cyber attacks,” said NRF President Matthew Shay, in a statement. “Establishing a new program takes time, but time is not our friend when it comes to stopping these sophisticated and unpredictable criminals.”

For more information on the NRF’s information-sharing platform, go to nrf.com and search on “FS-ISAC.”

(Continued)

Cybersecurity Basics

With all the balls a businessperson is expected to juggle on a regular basis, it’s no surprise when one or two get dropped — or at least fumbled a bit.

The day-to-day exigencies are often enough to handle without having to worry about extras like cybersecurity. (Be honest, how often do you install all your software updates the very moment you’re prompted?)

The following are some basic safeguards distributed by the U.S.  Small Business Administration that can help any small business owner tighten up his or her operation.

1. Create a cybersecurity plan with the help of the Federal Communications Commission’s Small Biz Cyber Planner. Available at fcc.gov/cyberplanner, the tool allows business owners to create a custom strategy for dealing with cyber threats. The webpage also includes a link to the FCC’s updated Cybersecurity Tip Sheet.
2. Make sure you have clear cybersecurity rules for your employees. This will help ensure that information is protected. You should also establish clear penalties for violating your company’s policies.
3. Practice safe social networking. The SBA advises that you instruct your employees not to post trade secrets or any other sensitive details about your company’s operation.
4. Manage risk. Asking yourself where your vulnerabilities lie is important. According to the SBA, since many small businesses often work hand-in-hand with larger firms, cyber crooks tend to use those small businesses as a bridge to get to bigger fish. Not only can that jeopardize your own security, it can poison your relationship with those bigger firms.
5. Download software updates ASAP. Those patches, updates, and fixes you’re probably ignoring? Download them now.
6. Back up your data. It may sound like a no-brainer, but it can’t hurt to be reminded. Critical items like Word documents, databases, spreadsheets, accounts receivable and accounts payable files, and human resources files are — if not the lifeblood — at least the marrow of a successful business.
7. Be sure your Wi-Fi networks are secure. Obviously, you want your Wi-Fi network to be password-protected, but you should also take that extra step to ensure it’s hidden. “To hide your Wi-Fi network, configure your wireless access point or router so that it does not broadcast the network name, known as the Service Set Identifier,” advises the SBA. “It is also critical to change the administrative password that was on the device when it was first purchased.”

Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.