Every business needs to be concerned about data security, especially securing customers’ personal data. Many businesses need to collect and store sensitive personal information. For example, retailers that maintain customer loyalty clubs and sell goods online have to keep financial information, such as credit card numbers. Service providers such as doctors and dentists have to keep more sensitive information, such as social security numbers.
All of these businesses are hacker targets. To help protect consumers, the Connecticut state legislature has enacted laws that require businesses to provide identity theft protection services if a customer’s personal data is stolen.
As of 2015, Connecticut businesses have to offer one year of free identity theft protection to each Connecticut customer affected by a data breach. Public Act No. 15-142 states that affected residents must be notified as to how to enroll in identity theft protection services, and how to place a freeze on their credit file. When you consider the cost of providing theft protection services and customer notification, as well as the lost customers, a data breach can be extremely expensive for Connecticut small to medium sized businesses (SMBs).
SMBs need to be prepared for a data breach. Experts agree that for business owners, it’s not a question of if their computer systems will be hacked, but when. Hacking to gather personal information is a big business. Consider that on the dark web, credit card data sells for a few dollars, but health records are selling for $50 each (since it includes social security numbers and Medicare records) and bank account records could sell for more than $1,000 each. At the same time, it usually takes months for a business to discover a data breach. With sensitive customer data exposed for long periods, it could cost SMBs a small fortune in remediation costs.
Ways Cybercriminals Steal Identity
Criminals have all kinds of ways to steal your identity, and many of them require no technology at all. Dumpster diving, postal theft, and “shoulder surfing” are some of the most common. There also are social engineering strategies where a fraudster fools people into surrendering personal data. Most of these won’t affect SMBs, unless someone hacks your database for contacts, or worse, uses your email system to send out phony solicitations. Here are some common identity theft ploys that use technology to compromise business systems:
Slave systems – One of the most common hacks are creating computer zombies, or machines that have been compromised for use by cybercriminals. SMBs have to be wary of viruses and Trojans that could compromise their servers, making them available for hackers to send malicious content or email from their network.
Credit card theft
This is one of the most common types of identity theft, and it can be as simple as making a double swipe of a credit card at a cash register. More sophisticated tools can steal credit card data from ecommerce sites or when customers make transactions from unsecured locations, such as the Wi-Fi at the local coffee shop.
To combat credit card theft, SMBs should use data encryption and two factor authentication (e.g. requiring an extra step such as an email or text reply to complete a transaction). Merchants also can minimize the risk of credit card theft by using secure e-payment services such as PayPal, so credit card information is never exposed.
A common practice is to place a magnetic card reader at an ATM or credit card reader to make an illicit copy of every transaction. The newer EMV chip card readers are designed to help eliminate this problem. In fact, credit card companies are now requiring EMV card readers of all merchants to minimize credit card fraud.
This is a very common form of attack that plagues many Connecticut businesses. Criminals create a mirror of a business site using a phony Web address so rather than logging in to a legitimate e-commerce site, customers log in to the phony site. This scheme redirects the user to the legitimate website but captures all transaction information in the process.
Infections can be introduced from any number of sources, such as email attachments, file downloads, and infected web sites. Once infected, the malware can log screens or keystrokes and send information back to a hacker across the Internet, or compromise our data in any number of ways.
Protecting Your SMB Data
These are just a few of the ways that hackers steal personal information, and here are a few steps that SMBs can take to protect customer data:
Develop a defense plan – Be sure you are prepared in the event of a data breach. You should have a contingency plan to backup and protect your own data, and to protect customer information.
Stay current – Be sure that all your systems and software are up to date. Software patches often contain security fixes as well as big fixes to resolve known security weaknesses.
Encrypt your data – Data encryption is the best way to protect your data. Even if a hacker manages to get access to customer information, encrypted data will be useless to them.
Monitor your network – Keep a close eye on network traffic and look for unusual activities and anomalies. There are many telltales of a cyberattack and not all of them are detected by security software.
Be proactive with customers – Help customers protect themselves. Adopt payment systems such as PayPal that protect personal information. Use two-factor authentication for login to ensure customers are legitimate. And provide helpful hints to help customers keep personal data safe.
Get expert help – A managed services company can be an invaluable resource for system security. For example, NSI provides off-site security monitoring as well as systems backup and other services to protect our customers’ systems. We also provide a security audit and make recommendations to help you protect sensitive data.
Every business owner needs to take data security seriously, and Connecticut SMBs in particular need to be careful to protect customer identity to prevent costly fines and remediation steps. When it comes to data security, it pays to be proactive because cleaning up the mess once customer data is stolen can be costly.