How Small Business Owners Become Cyber Victims

When starting a small business, the last thing on your mind is probably fending off hackers and cyber criminals. You're not alone. Many businesses believe their data is safe--but don't have security policies in place.

Seventy-seven percent of small business owners in the U.S. think their company is safe from cyber criminals, according to a recent study conducted by the National Cyber Security Alliance and Symantec. However, 83% said they don't have a cyber security plan in place.

Cyber threats can come from outside organizations, or from within companies when an employee or ex-employee steals data. Small business owners take on a different set of risks when they accept debit and credit card payments over the Internet, said Ellen Richey, chief enterprise risk officer for Visa, Inc. Richey said businesses can be the target of thieves attempting to steal information from their systems, or they can be fooled indirectly when fraudsters steal information from a different merchant and use that information to make purchases.

Consumers also can be at risk, especially if they are posting information on social networks. Cyber criminals can use the information that is publicly available to socially engineer their way into the consumer's account, said Richey.

Richey gave 5 tips for establishing a cyber security policy:

1. Not knowing what data you even have and where it is can put you at risk. Know the who, what, where, of your sensitive data and what kind of payment data you actually have, where it is, and who has access to it. This makes it possible to establish where risks are.
2. If you don't need the data, don't keep it. Companies tend to store payment information on laptops. They might even allow employees to access it on their own devices, which becomes more likely with the BYOD trend. However, there are cloud services available for payments and encryption. For instance, Visa is coming out with a way to store secure data, including a point-to-point service and a tokenization service.
3. Outsourcing a secure solution provider can often introduce a vulnerability. For instance, if a company hires a sales person from an outside company, that person might come in and install the payment application on the computer system--without changing the password. The most common mistake is leaving in place the default password. The confusion arises because the project has been outsourced to a reseller, and it's not clear who is responsible for tasks such as changing passwords.
4. Use secure devices and applications when accepting payments. Visa maintains a list of those gadgets on its website where small business owners can check to see what meets the standard.
5. For payments, there are certain practices and tools that small business owners can use for verification. These include the code on the back of the credit card, and an address verification. Companies can even install a physical space upgrade to EMV chip technology that will allow consumers to pay with smart cards.

"We at Visa want to make security important to small businesses by getting data out of their system," Richey said, by moving to a dynamic data system. That way, even if a cyber criminal stole a card number, the person still couldn't use it to commit fraud.

"If we had that fully in place that would reduce the opportunity to commit fraud because small businesses wouldn't have valuable data anymore. In the future, only the big aggregators of data--like Visa itself--will have vulnerable data," Richey said.

As more consumers begin making payments with Square and new mobile forms of payment, Richey said, it produces new types of risks.

"At a high level, the challenges are technical. Mobile phones aren't a secure, payment system--payment information needs to be in a segregated section of the phone; it can't be in the same space as any old application that a consumer can download. The other is an environmental challenge. Unlike a traditional terminal, a mobile phone is traveling all over the place and can be lost or fall into the wrong hands," Richey said.

That said, the mobile phone also presents an opportunity to become more secure, she added. For instance, using near field communications (NFC) technology in the phone to make payments is much more secure than depending on the magnetic strip on a credit card. Many Android and Windows Phones support NFC, but Apple chose not to include it in the iPhone 5.

Beyond education and awareness of small business owners, technology can help close the gap in security and payment systems. For instance, Intel recently announced a partnership with Mastercard that will implement PayPass NFC technology in its Ultrabooks, allowing users to make online payments by tapping a card or their phone on their ultrabook. Also, Facebook has a system that allows you to use two devices for authentication. If only the payment systems would catch up to this.

The pieces to solve the identification problem are out there. All that's left is putting the pieces together.