One Breach, Two Breach, Three Breach. When Will It Be Your Breach?
Home Depot is investigating the possibility of a potentially massive data security breach this week. Last week, there were reports that the Albertson family of grocery stores, which includes Jewel-Osco, was potentially breached. But did you know that the Department of Homeland Security announced last month that hackers attacked over 1000 U.S. businesses in the same fashion that Target and other major retailers were attacked. The national media focuses almost entirely on the major retailers; however, this blog speaks to small business and those of us who work with small businesses. I heard it again today from a colleague of mine who was speaking with a smaller account of his doing roughly $50k in monthly credit card processing. When instructing the business to take the PCI SAQ and IP scans to avoid NON-PCI fees and help PROTECT their business, their response was, “Those hackers are not going after small businesses like ours.” It is that exact sentiment that is going to contribute to small businesses getting taken to the cleaners by cyber criminals.In Trustwaves’ 2014 security report, they site the following:· “Our (Trustwave) volume of data breach investigations increased 54 percent in 2013, compared to 2012″
· “Point-of-sale (POS) breaches accounted for 33 percent of our investigations”
· “59 percent of victims reside in the United States, 14 percent in the United Kingdom and 11 percent in Australia”
· “96 percent of applications scanned by Trustwave harbored one or more serious security vulnerabilities”
· “100 percent of the mobile applications we tested contained at least one vulnerability”
This list goes on and on and on. The full Trustwave report can be retrieved thru www.secretservice.gov, this is a really eye opening and well put together report.
Time to wake up
I will be the first to admit that I was one of those detractors to “NON PCI COMPLIANCE FEES”. I was guilty of telling merchants that their processor was greedily charging this fee to make more money. My view now has shifted 180 degrees. If the average small or mid-sized business owner cares so little about protecting their business and their customers, then paying $20 a month is a small price pay. The whole “It can’t happen to me,” or even worse, “I am too small for it to happen to me” notion is no longer acceptable. This type of crime has reached an all time high and is only showing signs of getting worse. I don’t want to just throw small business owners under the bus. I will agree that many are simply mis-informed by merchant processing sales people trying to get a sale by following the path of least resistance and informing their clients or prospective new clients that they are not in harms way, or the likelihood anything that ever happens to them is too small for them to pay any attention. I personally detest sales people like this that give our industry a bad reputation, and make bad problems worse.For those of us who are fighting the battle of simply getting businesses that process payments to become PCI compliant, there is no assurance that we win. The unfortunate part of this is that becoming and maintaining PCI compliance does not actually prevent a breach or even detect one. It can and will if done properly point out vulnerability in your network, which can prevent or at least make it more difficult once the vulnerability is patched for a criminal to infect your systems. Simply by taking the PCI SAQ you will be asked questions on internal policies on how card holder data is handled amongst employees, who has access to sensitive data, escalation procedures, etc. Many business owners do not maintain policies on how card-holder data is handled that PCI requires, but at the very least it will open their eyes to what they should be doing and hopefully some or all of the requirements are implemented. Every little bit helps.According to Trustwave, 71 percent of compromise victims did not detect the breach themselves. Regulatory, card brands and merchant banks detected 58 percent of data compromises. FYI, 58 percent of the time: too bad, so sad. The damage has already been done.
I have unfortunately had to notify a mid-sized business with a name and brand nobody would recognize that we received notification from two card brands via a CPP report indicating their business as being the triangulated source of thousands of stolen credit cards. My team and I took hundreds of calls from this merchant in a panic trying to figure out the Who and How. The business then had to deal with two security assessors, tens of thousands of dollars in fees to those assessors, and many hours of lost sleep pondering, “What will happen to my business and my employees if the breach was proven to come from us?” It’s simply not worth it.
I’ll end this by saying if you are a small business or work with small and mid-sized business, and refuse to minimally protect your business and its customers from criminals, walk to your security system and unplug it. Take down your cameras and stop paying the monthly fees, leave your safe open and put a sign on your front door that says “please steal from us”
Do you get the point?
Hopefully, this gets the point across. Unfortunately this is going to be a topic we hear more and more about (once a week at the current rate). Lets agree to be a part of the solution and not the problem. Pass on good information, take the time to help business owners. If you own or run a business take the time to understand the full scope of “securing” your business/network beyond locks on the doors and cameras or a simple firewall. We are in new era of criminal and I promise you they will not be breaking thru your doors, your cameras will not see them, and what they are stealing is more difficult to replace than money.PCI 3.0 is here and comes with some major changes. In my next post we will explore the most major changes as it pertains to small and mid sized businesses.