The Year of the Hack
It seems only fitting that 2014 should have ended with the much publicized hacking of Sony as the American public was inundated all year with one sensational account after another of damaging data security breaches. Those surrounding Target, UPS, K-Mart, Staples, Dairy Queen, and Home Depot have certainly received the full attention of the media, as it should given its magnitude. However, this publicity masks a much deeper rooted strategy of hackers toward their typical target (with a small “t”). The predominant number of security breaches, up to ninety percent, occur with small merchants such as your neighborhood restaurant, convenience store or clothing boutique. The fact is that the typical operator of a franchise is most often a small business owner and not a large corporate entity. These smaller players simply go out of business or spend years attempting to recover from their losses.
The more telling story is that hackers are successfully penetrating the very backbone of U. S. commerce because these small and medium sized merchants are much more vulnerable as they are considered by hackers to represent low hanging fruit. Rather than resigning themselves to another year of devastating breaches that drain the economy and damage the public trust, this would be a good time for executives to make a New Year’s Resolution that they will take a little time to understand where the underlying vulnerabilities are in their systems and take the relatively simple measures to severely reduce the risks. Credit card companies have developed a comprehensive list of best practices and procedures (Payment Card Industry Data Security Standards best known as PCI DSS) that U.S. merchants are required to apply in an effort to significantly lessen the prospect of hackers gaining entrance to their store’s Point of Sale systems, which act as the gateway and nerve center for merchant commerce. The overriding problem is that banks, card processors, and POS companies have failed to effectively educate merchants on these standards. As hotel managers, restaurant operators and retailers are consumed with the day-to-day challenges of running their businesses, they understandably don’t find the time to do anything but pay cursory attention to related webinars or email blasts on the subject.
The solution really isn’t very complicated. The vast majority of security breaches can be avoided by simply having the merchant understand and apply common sense practices and make a few modest investments in basic security measures. For instance, a significant number of breaches can be eliminated by employees knowing not to use default or simple passwords as well as changing passwords frequently.
Breaking down into plain English and demystifying the basics behind security mechanisms such as firewall, encryption and tokenization are really not that difficult. Although the ease of a restaurant operator having remote access to their Point of Sale terminal may be very desirable, it can help a hacker gain a path to customer credit card information if not used properly with sufficient authentication measures.
We have more than adequate security controls available today if they are simply understood and utilized properly. We don’t have to wait until the mass introduction of alternative technology, such as Chip and Pin, to dramatically reduce the volume of breaches. In fact, Chip and Pin is not a silver bullet solution. Merchants must not become complacent and lose sight of the fact that it is necessary to engage in a layered approach to keep their customer data safe which incorporates, Chip and Pin, encryption, tokenization and employee education.
Small and large merchants alike can cut through the background noise and understand how best to use accessible and effective controls and practices so that more painful data security breaches will not continually be repeated.