Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Avivah Litan

Criminal logic; follow the money and find easy targets

Acceptance marks displayed on top left of this...Anecdotal information shows that small businesses are just as likely to become victims of an attack as large businesses.

Why?

  1. Criminals do not discriminate, a dollar is a dollar, a credit card is a credit card, no matter where it is stolen from.
  2. Small businesses cannot invest as much in protection, management, procedures and processes as larger businesses.
  3. Smaller businesses are often the last to discover, understand and therefore achieve compliance, for example PCI DSS. Compliance is described as a painful process but PCI DSS offers a detailed and defined set of requirements which will allow a business to secure all types of information and not just credit cards.
  4. Malware (Viruses, Trojan’s, etc.) does not know the difference between small and large business, in an automated attack malware tools just look for weaknesses.
  5. The hospitality industry is frequently targeted by criminals because they know there is a high level of staff attrition in an industry with a high proportion of smaller or franchised businesses. Read my article Fraud could be costing UK hotels over £2 billion a year.

Avivah Litan in her recent Gartner Blog recounts the story of a small restaurant in Winchester, Kentucky which had a data breach involving credit cards.

The story so far looks like the criminals gained access to the store’s systems remotely and siphoned off the cards’ magnetic stripe data and then creating counterfeit cloned cards which resulted in thousands of dollars in fraud and affected a high percentage of the town’s population, and significantly almost 25% of the local Police force.

The sad thing is from my own experience of running a small business it is customer loyalty that often makes the difference between being profitable and going bust and incidents like this always affect a customer’s perception of the business.

Large business can employ a PR Agency, send lots of letters, offer discounts and let a branch ride out the storm until people have forgotten about the breach, all of which a small business could not afford to do.

So what can small businesses do?

  • The first thing is to assume that you may become a target because the criminals use tools which try to find vulnerable business every minute and hour of the day.
  • Ensure that your payment devices; terminals, tills, e-commerce solution, etc. are all Payment Application Data Security Standard (PA DSS) approved. The PCI website has a list of approved products and version, find the link here.
  • Ensure you have the IT Security basics in place, Firewall, Anti-Virus, etc. and use the auto updates for the technology.
  • Make sure all your IT devices, not just your desktops and laptops but your tills and EPOS devices all have their software updated/patched regularly, if it is available turn on auto-updates.
  • Train your staff to understand what their responsibilities are and how to report issues and suspicions. A reward scheme might help.
  • I know it is difficult for small business owners to find the time but read the PCI DSS guidelines and the Self Assessment Questionnaire (SAQ) but it is an excellent start to a secure business. If you have any questions about which SAQ is needed or any other questions ask your bank they are as concerned about your security as you are.

.

Advertisements

PCI Compliance Cost Calculator for Level 1-4 Retailers

StillSecure have produced the “StillSecure PCI Calculator”, a free online tool designed to help Level 1 though 4 retailers examine, and potentially significantly reduce, the costs and complexities associated with PCI compliance. It is a very interesting approach to calculating the cost of compliance.

From the StillSecure press release:

Gartner issued its Retail Security & Compliance survey 2011, which examined security processes used by organizations subject to PCI, including current level of PCI compliance, spending on PCI compliance, and security threats. Among the key findings, the survey revealed that the costs associated with PCI security and compliance for merchants — excluding the cost of assessors — is an average of $1.7 million over 2.35 years. Over the same time period, Level 1 retailers spent an average of $2.1 million on PCI compliance, with Level 2-4 retailers spending an average of $1.1 million.

Based on the Gartner research StillSecure claim that by using their PCI Complete security solution, Level 1 merchants would save approximately $750,000 by utilizing StillSecure’s solution, and Levels 2-4 would save over $400,000 over the same period.

“Gartner’s Retail Security & Compliance Survey 2011 data clearly shows that organizations are spending significant amounts to become PCI compliant,” said Avivah Litan, VP Distinguished Analyst, Gartner, Inc. “The data further shows that it’s not easy to become compliant and many retailers may be overwhelmed with the complex and numerous steps involved in the process. In fact, security breaches are common. Our assessment underscores the importance of exploring all available options for compliance and security.”

The Gartner report also tracked overall PCI compliance investments and PCI-related security risks. While 28 percent of respondents believed that their organization had to spend too much money to comply with PCI standards, 43 percent of respondents had experienced at least one type of security incident.

“StillSecure has been intensely focused on helping organizations achieve PCI compliance through our fully managed, independently approved solution, PCI Complete,” said Rajat Bhargava, CEO of StillSecure. “These solutions are certified by one of the world’s most stringent qualified security assessors (QSAs) and include PCI monitoring, scanning, as well as reporting and evidence creation capabilities that will save organizations as much as 30 to 50 percent on PCI compliance and auditing. Our PCI Calculator allows organizations to compare their current PCI compliance expenditures with other merchants of similar size, while also informing them on steps to reduce the costs of compliance.”

Download the PCI Calculator for yourself here, registration is required.

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: