Deterring hackers with simple security precautions.

Brand Barney, Security Analyst, SecurityMetrics
By Brand Barney
Small to midsize merchants often trust that their modest size will allow them to slip below hacker radar. Sadly, trends show hackers actually focus on smaller merchants. Visa estimates 95% of the credit card breaches it discovers are on its smallest business customers.

Compromises don’t come cheap either. It has been estimated that small businesses can pay upwards of $50,000 for a single data breach and that doesn’t account for a bruised reputation.

SEE ALSO: How Much Does a Data Breach Cost Your Organization?

Neglecting the simple security measures is what allows hackers into a business network and allows them to steal your sensitive information. In truth hackers like easy targets, they will typically pass over merchants with simple protections safeguarding customer data to find a network that’s easier to hack. Hackers are smart and will not likely waste time on a target that they do not think will net a big gain or a large amount data, if it is properly protected.
The basic principal of time = money also applies to hackers.
Tweet:7 Tips to Avoid Costly Data Breaches: http://bit.ly/1vlKts3 The basic principal of time = money also applies to hackers.Tweet
But don’t worry, here are some basic security tips that will help deter hackers in the first place.

SEE ALSO: Takeaways from PCI DSS 2016 Data Breach Trends

1. Your passwords are easily predictable. Change them.

It’s common for IT companies that configure merchant POS software and other network
hardware/software to set up their merchant customers with identical passwords. Often the default password is ‘password’, ‘123456’, or no password at all. Anyone with a brain can discover default passwords for just about any payment application via a simple Google search, or freely downloadable password cracking software.

SEE ALSO: How to Do Passwords Right: Password Management Best Practices

Ensure all authorized users at your business have unique user credentials (meaning usernames and passwords) that employ upper and lower case alpha, numeric, and special characters.

SEE ALSO: HIPAA Compliant Passwords

2. You leave the virtual door wide open. Close it.

Envision a merchant who owns a hardware store. At day’s end he turns off the lights, walks out the door, and leaves the front door wide open behind him. That impending risk is analogous to a network system without a firewall in place. Firewalls are meant to prevent bad things from getting in, and letting the wrong things (like customer credit card information) out. Hackers regularly scan for unprotected networks just as burglars check for unlocked doors.

Nearly 50% of merchants that SecurityMetrics’ forensics team investigates do not have a firewall in place, and many that do don’t configure them properly. Ensure you have a properly configured firewall, which will make it difficult for hackers to get into your system, and even harder to export data out. I recommend speaking with a professional to ensure your rules are properly configured.

SEE ALSO: Understanding the Application of Firewalls

3. You don’t update software regularly. Update it.

Many businesses suffer critical IT failure from operating with non-secure payment processing software. Be vigilant about consistently updating the software and hardware associated with your processing environment. Published updates often contain essential security enhancements that will correct vulnerabilities in existing versions.

Depending on how your environment is set up, staying on top of security means downloading updates for your POS terminal, Internet browser, computer applications, and/or firewall.

4. Your mutinous employees will wreak havoc on your business. Monitor them.

According to SailPoint Research, 22% of U.S. and 24% of British employees said they would feel comfortable selling their employer’s data. Background checks, security cameras and unique employee login credentials will help you monitor employee conduct. Ensure employees know their actions are being monitored and that acts will be dealt with through termination and prosecution. All employees should be required to read and sign an employee security and sanction policies.


5. You don’t monitor your logs. Start now.

Proactive network monitoring of firewalls, servers, file integrity monitoring, and database logs can lead you to a problem and quickly put an end to it. You should have your audit logs readily available for three months, and at a minimum require that audit logs be retained for at least 12 months.

You should be reviewing your logs at least daily for malicious activity. Reviewing logs will help you keep familiarity with your system and will alert you to any malicious events on your network. Now I realize that many merchants will view this process as tedious, however there are security companies that sell log harvesting, parsing and alerting tools that analyze event logs and notify you when malicious activity is observed.

6. You likely store card data, even if you think you don’t. Delete it.

Unprotected payment card data may be stored behind the scenes of your computer systems, leaving data readily available for criminals to steal. Storing this data in an unencrypted state is actually against the Payment Card Industry (PCI) Data Security Standard (DSS).

SEE ALSO: Is Your Credit Card Data Leaking?

Even if you think you aren’t storing it, you’d better double check. According to 2016 data, 67% of merchants store unencrypted card datahttp://blog.securitymetrics.com/2017/04/2016-PANscan-study-protect-card-data.html, often unknowingly. The easiest way to find payment data is to use a card data discovery tool that alerts you of the location so you can securely delete it.

Try PANscan for free!


7. You may not be PCI compliant. Get help.

Every single merchant who stores, processes, or transmits payment card data is required by Visa, MasterCard, American Express, Discover, and JCB to become PCI compliant. The PCI standards were created to protect you and your customers from data compromise.

Typical steps to validate PCI DSS compliance include, completing an annual self-assessment questionnaire (SAQ), passing vulnerability scans, and maintaining an information security policy.

SEE ALSO: Which PCI SAQ is Right for My Business?

Merchants typically find that because of the highly technical aspects of PCI, they often need additional assistance. The PCI Council provided qualified security assessors (QSA) to help merchants with the process.

Remember, your security matters!

Click here to get 13 more tips to avoid costly data breaches.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

Monday, October 6, 2014