Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Small business

Criminal logic; follow the money and find easy targets

Acceptance marks displayed on top left of this...Anecdotal information shows that small businesses are just as likely to become victims of an attack as large businesses.

Why?

  1. Criminals do not discriminate, a dollar is a dollar, a credit card is a credit card, no matter where it is stolen from.
  2. Small businesses cannot invest as much in protection, management, procedures and processes as larger businesses.
  3. Smaller businesses are often the last to discover, understand and therefore achieve compliance, for example PCI DSS. Compliance is described as a painful process but PCI DSS offers a detailed and defined set of requirements which will allow a business to secure all types of information and not just credit cards.
  4. Malware (Viruses, Trojan’s, etc.) does not know the difference between small and large business, in an automated attack malware tools just look for weaknesses.
  5. The hospitality industry is frequently targeted by criminals because they know there is a high level of staff attrition in an industry with a high proportion of smaller or franchised businesses. Read my article Fraud could be costing UK hotels over £2 billion a year.

Avivah Litan in her recent Gartner Blog recounts the story of a small restaurant in Winchester, Kentucky which had a data breach involving credit cards.

The story so far looks like the criminals gained access to the store’s systems remotely and siphoned off the cards’ magnetic stripe data and then creating counterfeit cloned cards which resulted in thousands of dollars in fraud and affected a high percentage of the town’s population, and significantly almost 25% of the local Police force.

The sad thing is from my own experience of running a small business it is customer loyalty that often makes the difference between being profitable and going bust and incidents like this always affect a customer’s perception of the business.

Large business can employ a PR Agency, send lots of letters, offer discounts and let a branch ride out the storm until people have forgotten about the breach, all of which a small business could not afford to do.

So what can small businesses do?

  • The first thing is to assume that you may become a target because the criminals use tools which try to find vulnerable business every minute and hour of the day.
  • Ensure that your payment devices; terminals, tills, e-commerce solution, etc. are all Payment Application Data Security Standard (PA DSS) approved. The PCI website has a list of approved products and version, find the link here.
  • Ensure you have the IT Security basics in place, Firewall, Anti-Virus, etc. and use the auto updates for the technology.
  • Make sure all your IT devices, not just your desktops and laptops but your tills and EPOS devices all have their software updated/patched regularly, if it is available turn on auto-updates.
  • Train your staff to understand what their responsibilities are and how to report issues and suspicions. A reward scheme might help.
  • I know it is difficult for small business owners to find the time but read the PCI DSS guidelines and the Self Assessment Questionnaire (SAQ) but it is an excellent start to a secure business. If you have any questions about which SAQ is needed or any other questions ask your bank they are as concerned about your security as you are.

.

Advice for Small Businesses on how to avoid Identity theft

The Identity Theft Council (ITC) has recently issued a press release promoting Identity Theft awareness and offered advice on how to avoid the problem.

They quote from a Javelin Strategy & Research study found that fraud suffered by

  • Small Business Owners (SMBO) totaled an $8 billion
  • Banks, merchants and other providers absorbed at least $5.43 billion of that loss
  • The cost to victims was $2.61 billion

According to the U.S. Small Business Administration, the small business represents more than 99 percent of all U.S. businesses, and of the estimated 27 million small businesses, more than 21 million are sole proprietors. The ITC concluded that small business were ideal candidates for identity theft.

“The ITC works with individual identity theft victims and small business owners to educate them about identity theft and to provide resolution services,” said Neal O’Farrell, Executive Director of the Identity Theft Council (ITC), and security expert. “Unfortunately, small business owners are being targeted more today than ever before due to the criminals ability to easily access important information and go undetected.”

Identity Theft Council Tips for Preventions and Detection:

  • Write a security plan. Security starts with a plan. A plan can be as simple as the security rules, guidelines, and goals for your business, and the consequences for ignoring them. A plan is also an easy way to help you remember your security priorities.
  • Do an inventory of your data. Data is what the thieves want, whether its customer account or credit card data, employee Social Security numbers, or even databases of target customers. If you don’t know what data you have in your business, or where it is, then you can’t effectively protect it.
  • Train your employees. Enlist every employee, family member, partner, and contractor as a vigilant sentry so that every stakeholder understands how to protect their corner of cyberspace. Most thieves will target the weakest link, and that’s usually a careless or untrained employee.
  • Guard your business accounts well. As a business owner you don’t enjoy the benefits of zero liability, so if your account is emptied by crooks, the bank won’t bail you out.
  • Restrict employee and insider access to data. For everyone’s safety employees should only have access to the data they need to do their job. And that access should also be monitored.
  • Be especially wary of banking Trojans. These highly sophisticated programs can easily creep on to your computers, steal banks logins and passwords, and quickly empty your bank accounts.
  • Monitor your bank accounts and credit cards constantly. These can often provide the earliest warning that thieves have obtained your account information and have started to use it. Most financial institutions provide free instant alerts to warn you about any unusual account activity.
  • Be wary of business identity theft, too. Business identity theft is a growing problem, and it involves criminals using publicly available information about your company to pretend to be the legitimate owners of your business so they can take out substantial loans and leave you to clean up the mess. An easy precaution is to regularly Google your business name for any clones.
  • Use the available technologies. As a small business owner you have many choices when it comes to protecting your employees, your computers, and your data from cyber thieves. And some of the best tools are free. So make sure every computer in your business is locked down with layers of security technology.

“As a co-founder of the Identity Theft Council, Intersections believes in helping victims of ID theft find resolution, and in educating the community about how to protect themselves from the crime,” said Michael Stanfield, Chairman and CEO of Intersections Inc. “Small business owners are a unique group of victims that straddle between the consumer and business world, and are a prime target for criminals.”

Find the ITC website here

.

Most Small Business Owners do not treat Fraud as a Top Priority – survey results

New logo for TD Bank
Image via Wikipedia

On the 15th August 2011 TD Bank launched the results of a survey that indicates small businesses (sub $5 million) do not have Business Fraud as their top priority, in fact only 1% of survey respondents said it was a top priority.

TD Bank’s survey polled 300 small business executives in its Maine to Florida area  to understand their current awareness of small business fraud, as well as their top external concerns over the next 12 months.

“It’s encouraging to see that small business owners are taking steps to protect their business, but fraud protection should be a high priority and it pays to be vigilant,” says Fred Graziano, Head of Commercial and Small Business Banking at TD Bank. “Given the influx of new digital technologies and operational tools available for small business owners, it’s increasingly important to learn about the latest trends and techniques used by criminals, and to be more diligent in defending against fraud.”

Graziano and Robert Dunlop, TD Bank Director of Corporate Security and Investigations, offer the following advice to small business owners to protect their business from fraud:

Manage finances  using secure online banking.

Online banking is a secure and essential tool for any small business  owner. The benefits of this useful service include 24/7 access to real-time information, account transfers and payment management. Small business owners can easily schedule and manage payments, submit remittance information, and have an audit trail of all transactions.

“It’s important for small business owners to check their account activity regularly,” says Graziano. “Having instant access to payment history helps businesses closely monitor their spending for any discrepancies. If there are any, contact your financial institution immediately.”

Protect computer systems and practice online awareness.

“Being complacent about cyber protection can lead to the compromise of critical information and detrimental consequences for a business,” says Dunlop. “Every computer at home or in the office should have installed and regularly updated firewalls and anti-virus software.”

While conducting business online, be aware of “phishing” – an electronic scam that attempts to obtain confidential personal or financial information from its target. It takes the form of a fake message, usually an e-mail, which appears to be from a financial institution or service provider. While some e-mails are easily identified as fraudulent, including some containing enticing headlines, others may appear to come from a legitimate address.

“If an offer received via e-mail or on a website sounds too good to be true, it probably is,” says Graziano.

Safely handle sensitive documents and financial statements.

“The web isn’t the only place where thieves can steal valuable information from a small business,” says Dunlop. “Employees and outside parties can steal important mail, credit card information or checks, and commit fraud.”

Printed financial statements, social security numbers and other sensitive papers should be disposed properly using a shredder or saved in a securely locked device.

“To avoid the hassle of handling several papers, banks such as TD Bank allow customers to opt out of paper statements and receive online statements instead,” says Graziano.

According to Dunlop, technological advances have even put photocopiers at risk, “Most photocopiers built since 2002 contain a hard drive that stores every image scanned, copied or emailed. When a business sells or upgrades their copier, the machine is usually cleaned up and reconditioned, but often times the hard drive is left intact and is not scrubbed,” says Dunlop.

Once resold, it’s possible for anyone to simply pop out the hard drive and access, and sell confidential information such as income tax and bank records, social security numbers, and birth and medical records.

“Businesses need to be aware of this and treat documents in the standard office copier just as they would any printed document, and guard that information accordingly,” says Dunlop.

Obtain fidelity insurance.

“Crime and fraud-related losses generally aren’t covered by property insurance policies, so it’s important to protect money losses from workplace fraud,” says Dunlop.

Fidelity insurance protects your business against criminal acts such as robbery, embezzlement, forgery and credit card fraud. Liabilities secured under this type of insurance usually include money loss coverage (burglary or theft) and employee dishonesty (embezzlement and forgery).

Search for low rates and partner with a broker, such as TD Insurance, who can help shop for the best deal.

Incorporate appropriate checks and balances.

Every small business owner should perform an internal review and assessment of company finances on a monthly basis. Make sure payment amounts match all invoices and check for any missing documents.  “Running random audits or having a third party audit the books once a year will show employees you are serious about fraud and deter them from committing deceptive acts,” says Graziano.

TD Bank advise that if you think you are a victim of business fraud, immediately contact the fraud department of any of the three major credit bureaus to place a fraud alert on your credit file. Also, contact your banks, credit card issuers and other creditors where your finances and information are available.

More information on TD Banks Security can be found here.

.

Downloadable: CyberSource’s report on UK Online Fraud 2011

The report is based on an industry wide survey, and addresses the detection, prevention and management of online fraud.

The Cost of Fraud

On average, the percentage of annual online revenue that businesses expect to lose to payment fraud in 2010 has dropped from 1.8% to 1.6%.

The survey revealed that this does vary dramatically by merchant size:

  • very large businesses expected to lose £365,500 to online payment fraud, equating to an average of 1.5%
  • Large businesses expect to lose £173,500 (1.2%)
  • Medium businesses £66,000 (2.4%)
  • Small businesses £3,500 (1.5%)

The report delivers:

  • Key fraud metrics, including review and order reject rates
  • Most widely used fraud detection tools
  • Chargeback practices; re-presentment and win rates
  • Merchants’ fraud management priorities for 2011

Download the report here, required registration.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: