Safe and Secure?
Distributors Have To Be Absolutely Sure Customer Data Is Protected
With data breaches becoming increasingly common – including Target’s, which impacted up to 110 million consumers – distributors have to be absolutely sure that their customer information is protected.
When it comes to credit card info, at Inkhead Inc. (asi/231159), it’s on a need-to-know basis. As in, nobody needs to know.
“We do not store credit card numbers and do not have access to them in any usable way once the transaction has been submitted to our credit card processor,” says Bill Cline, the Winder, GA-based company’s chief technology officer.
Smart move. Recent data shows more and more hackers are focusing their efforts on small businesses, perhaps because their security efforts are easier to breach. According to Symantec, a security solutions firm in Mountain View, CA, attacks on small businesses with less than 250 employees doubled in 2012, the most recent year reported, making up 31% of all business attacks.
In light of the much-publicized data breach suffered by retailer Target during the height of the holiday shopping season, in which the company acknowledged that 110 million shoppers’ credit cards were potentially compromised, it might seem that giant retailers are the appealing target. But that’s not always the case, say security insiders. And they warn that small- to mid-sized companies are increasingly sought out for hacking purposes.
“I think it’s pretty obvious in looking around that the big guys are being attacked daily, but it’s also true that smaller businesses are also in the target range,” says Richard Kissel, IT specialist with the National Institute of Standards and Technology (NIST), in Gaithersburg, MD, a federal technology agency that helps companies develop tech standards, in part to keep their information safe.
Too often, experts say, small-business owners assume their size makes them less attractive to hackers looking to hit up big players for a greater payout. And though big box retailers may be a more attractive target for some hackers for that reason, they rarely discriminate.
“Do you have a website? An IP address?” asks Tsion Gonen, chief strategy officer of SafeNet, a data protection firm based in Belcamp, MD. Then you’re a target. “There’s no flying below the radar” when it comes to exposing yourself on the Web, Gonen says. And distributors who think their size takes them off the hit list are likely exposing themselves to sensitive data theft.
Safety is Job One
How to keep your data safe? To start, distributors can’t begin to safeguard data until they know how sensitive it is, experts say. Many small businesses rarely take inventory of the sensitive data flowing through their companies every day. That alone can set them up for major theft, experts say.
The first step is to prioritize data by its value to the company, says Marilyn Prosch, an associate professor of accounting at Arizona State University in Phoenix, and co-founder of ASU’s Privacy by Design Research Lab, which helps explain how companies can protect information online. That includes transactions, customer credit cards, confidential artwork and orders, as well as protected practices and corporate strategies.
Then distributors need to prioritize that information, deciding which is the most important to their company’s security, growth and development. In other words, if you had to lose all of your data, which would you least want a thief to steal? It’s important to focus on the most sensitive data first, says Gonen, going so far as to encrypt information that absolutely cannot be compromised. In fact, these days, any data not encrypted is vulnerable, Gonen says. Period.
“By not encrypting data, all data is vulnerable to people coming in via electronic means or even walking in as part of a cleaning crew,” he says. “Small businesses tend to not look at things like that.”
By encrypting it, he adds, distributors can rest easy even if the data is stolen, since encrypted material is virtually impossible to decode. Hackers, for the most part, are gunning for the easiest data they can steal, he says. Encrypt information and they’ll be far less inclined to spend the time and effort it takes to unencrypt it.
That’s particularly important as transactions increasingly move across multiple platforms in the industry – laptops, iPads, smartphones and remote hardware like USB plugs – as account reps and company employees work from remote locations. One of the biggest boons and potential pitfalls to small businesses these days are the BYOD (bring your own device) policies that many small businesses have adopted. While allowing employees to use their personal devices can save a company money and increase their electronic workspace, it can also expose them to more identity theft.
“When you start setting data free, and instead of one place to keep it you now have 100 places, then by definition there are more chances something could happen,” Gonen says, pointing out that the practice tends to increase a company’s “threat surface,” meaning the number of places corporate data can be hacked.
While many companies focus so much on encrypting data and protecting their networks, ultimately it’s actually employees, not just their devices and software, who are the weakest link in a company’s security defense. Not because employees are looking to breach security from within, although that can happen. But more so because employees often unwittingly click on an unsafe link.
“A lot of these hacks you read about start with someone double clicking on a mail attachment or downloading something from the Web that they’re not supposed to,” says Gonen, even though they may know better.
In fact, employees can be some of the most innocent bystanders in phishing attacks, experts insist. Incidents like the recent Target breach create a ripple effect through the marketplace by allowing other hackers to come in and prey on victims’ concerns in the aftermath of a breach. One consequence from the Target breach, says Greg Mancusi-Ungaro, CMO of Toronto-based BrandProtect, a brand protection firm, has been a series of fake e-mails from hackers pretending to be Bank of America or some other large scale institution, claiming that a user’s password has been locked in light of the Target breach and they need to reset it. What might be normally dismissed as spam can suddenly trick a staff member who unleashes malware within his company when he clicks on a link while working on the company’s network.
And, the opportunities to solicit individuals through their workspace is only increasing. These days, employees receive attacks from hackers claiming to be social media sites, apps and other commonly-used Internet-based programs, that too many individuals fall for, even those who are savvy to online security. Symantec reports that phishing attacks masquerading as social media sites jumped 125% in the past year. And for good reason – they’re working.
In the ad specialty marketplace, where offers from unknown entities are coming across a distributor’s e-mail daily, “an offer might look like it’s coming from Nike or Adidas with promotional pricing,” says Mancusi-Ungaro. And, while it may be easy enough for many employees to recognize a fake e-mail, it may not be clear to them that simply clicking on a link, whether or not they go so far as to change their password, can be all they need to release malware into their company’s system.
Too often, industry insiders say, a company is being silently attacked, losing reams of data for weeks or months before executives know it’s been siphoned off. And more employees mean more risks. “When companies are growing rapidly, that’s when they’re at their highest risk,” says Prosch, because their technology increases and protocols begin to slip.
Steps to Take
To combat these threats, Prosch suggests that companies keep their data collection to a minimum. The more information a firm collects, the more they’re responsible for. Only collect information that’s crucial to a client transaction. Along those lines, don’t keep data longer than necessary, deleting confidential information when possible. That means destroying data completely, says Michael Kosegi, senior director of document imaging for Cintas Document Management, a document management security firm based in Cincinnati. That can include not just hard copies, but hard drives as well, Kosegi says, adding that companies should make sure they witness the destruction of a hard drive, instead of taking a technician’s word.
In addition, companies utilizing cloud technology today need to be aware of their risks in that space. That’s a particularly tough subject to tackle, says Inkhead’s Cline. “If the storage apparatus is solely controlled and secured by the company in question, then it falls in line with how one would go about securing a live data server,” he says. But, for cloud storage services where data from multiple companies is segregated but stored on a shared drive, it’s crucial for distributors to know exactly how secure their data is. “Many public cloud storage services would not comply with PCI (Payment Card Industry) regulations concerning customer billing data due to lack of security,” Cline says.
For many distributors, using cloud technology through programs such as Google Drive is an easy way to share documents or utilize free storage. But it’s also important to know the safety protocols for cloud technology, and create internal protocols for keeping what you share on the cloud safe, says Kosegi. A records-management program should indicate exactly what’s stored on the cloud, Kosegi says, and what’s stored there should be encrypted, he adds. “That way if you do have a breach they can’t see the information.”
For some companies Google may offer more security than they can afford on their own, experts say. Still it’s important to “read the terms of service,” Kissel advises, and recognize that once a document is on the cloud “you are completely trusting someone else” to keep it safe, unless the data is encrypted.
The key, says Kissel, is for small businesses to take note of where all of their data is based and what kind of data is based where. “Do an inventory of your information and prioritize it and categorize it,” he says. “Then, you’ll have a much greater feel of where you’re going in your business and where the protection needs to be applied.”
– E-Mail: email@example.com