Entries tagged with “data security for small businesses”.


“The times are tough now, just getting tougher  - This old world is rough, it’s just getting rougher - Cover me, come on baby, cover me” – Bruce Springsteen 1984

Businesses work very hard to build their brand.   Small businesses are no different.  Establishing trust and loyalty among the customer base is essential to the longevity of any business.  Many companies focus on marketing and sales relationships to ensure that connection between customer and company continues to grow.  Social media, direct mailings, radio and tv advertising, print advertising, and data security and privacy policies all contribute to the growth of brand trust.  What a minute!  Did I say data security and privacy policies?  You betcha!  This is what I like to refer to as “brand security.”  Businesses spend an inordinate amount of time and money on establishing a brand that customers trust.  One of the fastest ways to lose that trust is to suffer a data security breach or to violate customer privacy.  For that reason, I often refer to data security and privacy programs as “brand cover.”

I’m going to borrow heavily, and probably poorly, from law enforcement and military actions here.  When you go into action, you generally have a forward team and then you have a team that provides “cover.”  This team keeps an eye out for threats that may not be visible or apparent to the forward team, but pose significant risk.  In the business world, one can think of your sales and marketing efforts as the forward team, while data security and privacy programs provide the cover.  You marketing and sales efforts move the company forward and increase awareness.  Your data security and privacy programs help to mitigate unseen, and sometimes unknown, risks to your brand’s integrity.  In fact, some larger organizations, particularly not-for-profits, are more concerned about brand damage in the event of a security or privacy compromise, than they are the fines that may be associated.

For small businesses, implementing and enforcing data security and privacy policies can seem daunting.  The Better Business Bureau, though, has put together a primer for businesses to help them develop these programs.  If you accept debit and credit card transactions, you can look for services to help minimize how much of that sensitive payment data your business stores.  You can also undertake an inventory to see just what data you are collecting and storing and how you are protecting it.  You can also evaluate the partners that you use and how you share data with them. Understanding your data can ultimately serve as a very effective means of protecting your company, your brand, and your customers.

When we talk about the protection of data, particularly sensitive personal information like credit card or social security numbers, we often focus on “digital data.”  By digital data, I mean that data that is stored in our networks and computers, our POS systems and other “networked” appliances.  It’s easy to lose sight of the fact that copiers, printers, and fax machines are often “networked appliances,” complete with memory.  That means that it is conceivable that when you send a fax or make a copy, that appliance could retain that data in its memory.  As a result, that appliance now represents a point of vulnerability for the network.

The ability of these devices to store data should also be a consideration with looking to lease or buy previously used equipment, particularly when buying or leasing used POS equipment.  You may be introducing someone else’s liability into your secure environment.  This is where having proper policies and procedures becomes vitally important.  Merchants should have a process for evaluating security options on the device or equipment (does it allow for overwriting or encrypting the data in memory?); security procedures should also be in place to ensure that the device memory is regularly overwritten to avoid data leakage.

The PCI DSS specifically requires that companies “Protect Stored Cardholder Data Wherever it is Stored.”  Unfortunately, as our businesses grow, that often means that our cardholder data environment grows along with it.  Information security policies and processes become more and more important.  It can also be helpful to find strategies for limiting the size of the cardholder data environment.

Recent reports indicate that small businesses tend to overlook the threat of a data security breach.  Controlscan, a company that specializes in assisting small and medium sized businesses with PCI compliance issues, recently completed a study in cooperation with Merchant Warehouse.  The findings indicate that close to 80% of the surveyed merchants felt that they had little to no risk of a breach.  What’s more, according to ControlScan’s CEO Joan Herbig, close to half of the merchants surveyed hadn’t even heard of the PCI DSS.  These findings indicate a serious lack of communication between ISOs and Acquirers and their small merchants.

Since 2006, all organizations that store, process, or transmit cardholder data have been required to comply with the data security requirements contained within the Payment Card Industry Data Security Standard.  In fact, the Payment Card Industry Security Standards Council has even created a microsite dedicated to educating small merchants on the PCI DSS and their obligations under that standard.  The ramifications of non-compliance are many and can be overwhelming even for large merchants.  Should a breach occur, the fines, fees, and penalties can quickly add up and in many cases have put companies out of business.

This post could easily take on an alarmist tone.  Some might say that it already has.  Regardless, though, small merchants must comply with the same set of standards to which large companies are beholden.  How can one do that with comparatively limited resources?  By trying to limit the places in the merchant system that store, process, and transmit cardholder data.  Using a solution that processes payment card transactions using point to point encryption (P2PE) and tokenization can serve two objectives – making the data more secure, and reducing the burden of complying with the PCI DSS.

If you are a small merchant and you haven’t heard about PCI DSS or aren’t sure what you should do, reach out to your ISO or Acquirer.  They can explain what the standard requires and how you can achieve compliance.

October is National CyberSecurity Awareness Month (NCSAM).  This year marks the 9th year that the Department of Homeland Security, the National CyberSecurity Alliance, and the Multi-State Information Sharing and Analysis Center have sponsored a series of events designed to raise public awareness of cybersecurity issues.  This year, the overall theme of the month is “Our Shared Responsibility.”  The intent is to get everyone thinking about how he or she can protect data, not simply relying on businesses to do so.  According to the DHS, “Emerging cyber threats require engagement from the entire American community—from government and law enforcement to the private sector and most importantly, members of the public – to create a safer cyber environment.”

Each week, the DHS will focus on a different aspect of cybersecurity.  The first week focused on general awareness.  To do so, DHS has created a “Stop. Think. Connect™.” campaign.  The idea behind the campaign is to urge consumers to think about how their online actions could impact their privacy and the security of their own personal information.  The DHS website provides consumers with some tools and resources that can be used to increase the security of the online experience.

Week two, this week, focuses on law enforcement efforts to halt cybercrime.  This includes efforts on both the state and federal level to increase resources devoted to catching and prosecuting data thieves that target corporate networks. Importantly, though, it also includes efforts to stop criminals that are targeting consumers through “spearphishing” and social media fraud.

The third week will focus on industry efforts, such as the PCI DSS, to fight cybercrime and to ensure that consumer data is adequately protected. Cybersecurity is also a major concern of small business owners, who struggle to balance the risk associated with a data compromise, with limited resources.  The DHS has provided a list of resources for small business that are looking for help in managing their data protection and cybersecurity efforts.

The last week of NSCAM focuses again on education and awareness.  The twist here, though, is that the focus is on training the “next generation” of cybersecurity professionals.  It includes lesson plans for students in K-12 to help create a cultural and generational knowledge of cybersecurity.  In an era in which states are sponsoring and hiring cyber warfare agents, one can see how becoming a country with bountiful cybersecurity resources can help secure the future.

There is a lot of discussion about security for small businesses, and for the most part that discussion revolves around data security. There is good reason for that focus.  Certainly, the number and magnitude of data thefts is on the rise, even as businesses take greater pains to secure their data.  Additional attention is given to the issue as a result of the growing number of regulatory mandates for the protection of all types of personal information.  Business are well-served to pay attention to their data security strategies.   A recent article in Business News Daily, though, asks just how broad your business’ security plan should be.

If you’re a small business owner, with a storefront or office location, it may be well worth the effort to create a physical security plan to deal with the eventuality of burglary or theft.  Additionally, the physical security plan should work to create a safe working environment for employees and a hazard-free experience for customers.  While we often worry about the relatively esoteric notion of someone hacking a network and stealing data, it is possible to overlook precautions for the far more likely event that someone will simply steal the equipment on which the data is stored.    Protecting that equipment is just as important as ensuring that the network is secured.

It is easy to fall into the habit of using a one-dimensional definition of security.  That is particularly true when the media and our industry are so focused on that one aspect.  But physically securing your business, making sure that your assets, your building, your employees and your customers are secure are all important.  In fact, one could even argue that the physical security of your employees and customers outstrips the other elements entirely.  The point here is to remind ourselves that our businesses are not comprised of just one element and so our security plans should reflect that.