How Small Business Owners Become Cyber Victims - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Infrastructure // PC & Servers
04:43 PM
Connect Directly

How Small Business Owners Become Cyber Victims

If you are a small business owner who is clueless about cyber security risks, you're not alone. BYTE spoke to Visa's chief enterprise risk officer to find out 5 things you should know about, so you don't become a fool when you accept payments in our increasingly digital and mobile world.

When starting a small business, the last thing on your mind is probably fending off hackers and cyber criminals. You're not alone. Many businesses believe their data is safe--but don't have security policies in place.

Seventy-seven percent of small business owners in the U.S. think their company is safe from cyber criminals, according to a recent study conducted by the National Cyber Security Alliance and Symantec. However, 83% said they don't have a cyber security plan in place.

Cyber threats can come from outside organizations, or from within companies when an employee or ex-employee steals data. Small business owners take on a different set of risks when they accept debit and credit card payments over the Internet, said Ellen Richey, chief enterprise risk officer for Visa, Inc. Richey said businesses can be the target of thieves attempting to steal information from their systems, or they can be fooled indirectly when fraudsters steal information from a different merchant and use that information to make purchases.

Consumers also can be at risk, especially if they are posting information on social networks. Cyber criminals can use the information that is publicly available to socially engineer their way into the consumer's account, said Richey.

Richey gave 5 tips for establishing a cyber security policy:

  1. Not knowing what data you even have and where it is can put you at risk. Know the who, what, where, of your sensitive data and what kind of payment data you actually have, where it is, and who has access to it. This makes it possible to establish where risks are.
  2. If you don't need the data, don't keep it. Companies tend to store payment information on laptops. They might even allow employees to access it on their own devices, which becomes more likely with the BYOD trend. However, there are cloud services available for payments and encryption. For instance, Visa is coming out with a way to store secure data, including a point-to-point service and a tokenization service.
  3. Outsourcing a secure solution provider can often introduce a vulnerability. For instance, if a company hires a sales person from an outside company, that person might come in and install the payment application on the computer system--without changing the password. The most common mistake is leaving in place the default password. The confusion arises because the project has been outsourced to a reseller, and it's not clear who is responsible for tasks such as changing passwords.
  4. Use secure devices and applications when accepting payments. Visa maintains a list of those gadgets on its website where small business owners can check to see what meets the standard.
  5. For payments, there are certain practices and tools that small business owners can use for verification. These include the code on the back of the credit card, and an address verification. Companies can even install a physical space upgrade to EMV chip technology that will allow consumers to pay with smart cards.

"We at Visa want to make security important to small businesses by getting data out of their system," Richey said, by moving to a dynamic data system. That way, even if a cyber criminal stole a card number, the person still couldn't use it to commit fraud.

"If we had that fully in place that would reduce the opportunity to commit fraud because small businesses wouldn't have valuable data anymore. In the future, only the big aggregators of data--like Visa itself--will have vulnerable data," Richey said.

As more consumers begin making payments with Square and new mobile forms of payment, Richey said, it produces new types of risks.

"At a high level, the challenges are technical. Mobile phones aren't a secure, payment system--payment information needs to be in a segregated section of the phone; it can't be in the same space as any old application that a consumer can download. The other is an environmental challenge. Unlike a traditional terminal, a mobile phone is traveling all over the place and can be lost or fall into the wrong hands," Richey said.

That said, the mobile phone also presents an opportunity to become more secure, she added. For instance, using near field communications (NFC) technology in the phone to make payments is much more secure than depending on the magnetic strip on a credit card. Many Android and Windows Phones support NFC, but Apple chose not to include it in the iPhone 5.

Beyond education and awareness of small business owners, technology can help close the gap in security and payment systems. For instance, Intel recently announced a partnership with Mastercard that will implement PayPass NFC technology in its Ultrabooks, allowing users to make online payments by tapping a card or their phone on their ultrabook. Also, Facebook has a system that allows you to use two devices for authentication. If only the payment systems would catch up to this.

The pieces to solve the identification problem are out there. All that's left is putting the pieces together.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
White Papers
More White Papers
IT Careers: Top 10 US Cities for Tech Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  1/14/2020
Predictions for Cloud Computing in 2020
James Kobielus, Research Director, Futurum,  1/9/2020
What's Next: AI and Data Trends for 2020 and Beyond
Jessica Davis, Senior Editor, Enterprise Apps,  12/30/2019
Register for InformationWeek Newsletters
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Flash Poll