SMEs should resolve to think differently about business data security
A merchant’s IT network is home to essential data, and the lifeblood of a successful business. Along with processing customer payments, business networks hold sensitive data including staff and payroll information, stock management information, business email accounts and supplier relationship details. Protecting this data and preventing security breaches should be a priority for all business owners, as failure to implement effective security measures can lead to irrevocable financial and reputational damage.
With the constant evolution of new IT and payments technology comes the necessity for new processes and standards to manage the resulting security variables. The Mako team believes that with the right education and approach to security, new technology won’t mean new security headaches for SMEs.
From the $84 million Global Payments data breach to the launch of the first commercial 4G LTE service in the UK, the last 12 months have taught us a number of technology lessons and hinted at the security challenges to come over the next year. Mako has identified the following areas for SMEs to watch, not only for security issues but for development and business upgrading throughout 2013:
1. The penetration of WiFi within small businesses
WiFi used to be an amenity offered to help attract customers into stores. While that’s still true to a certain extent, increasingly customer WiFi access is being seen as a standard requirement at businesses large and small. In providing access to guests, SMEs can also unwittingly put themselves at risk of Internet-based threats and data breaches if their network is not properly segmented and secured. For example, “Dexter” is a recently uncovered form of malware that specifically targets POS devices and seeks credit card data. Dexter attacked POS systems in 40 countries worldwide in the last few months of 2012, with 42% of infected systems located in North America and 19% in the UK. Focusing on ways to cope with malware such as Dexter and implementing the right security measures needs to be a priority for merchants when it comes to protecting business information.
2. PED protection – security from A to B
POS systems are not just being targeted through malware attacks, as terminal swapping is a popular way to commit card fraud in-store. Merchants need to secure every device connected to their network to avoid vulnerabilities that could comprise their IT systems.
Rogue terminals — compromised payment devices inserted onto a merchant’s payment network —are a way of harvesting data out of a business and into the hands of criminals. Other fraudsters may seek to leverage a merchants’ own network to access the Internet and transmit stolen data into the hands of criminals.
Bill Farmer said: “Cyber criminals will modify devices to steal information and either store it locally for future retrieval or transmit it in real-time or batches. It is not easily detectable and compromised terminals can be transmitting data for months at a time, often in environments with high transaction volumes, which is after all what the criminal is after: lots of card data.
“They collect data, hold it and then use it for small transactions months later, and then use it at an ATM to withdraw much larger sums of money at once… the cost of the breach can be hundreds of pounds per card compromised.”
But merchants need to think about security from a broader perspective rather than just when a PED is connected to their network. To really prevent alien devices infiltrating a network, PEDs need to be protected from production through delivery and beyond.
3. BYOD – bring your own device and device agnostic security systems
Alongside POS systems, smartphones and tablets are increasingly being used in-store to offer customers more payment options and improve the efficiency of stock checking and ordering. Whether it’s an employee or customer smartphone or the merchants’ tablet, connecting any additional hardware to a network increases vulnerabilities.
Mako predicts the range of devices being used in-store is likely to increase throughout 2013, so merchants need to look for security solutions that protect and wherever possible segregate payment and personal data as it passes through a network, regardless of which device takes the transaction.
Securing how these devices are connected to a network is essential. Setting up strong passwords and effective firewalls is a good first line of defence. Merchants also need to monitor network usage, particularly that of its employees. Successful monitoring improves security and reduces cost by highlighting where policy decisions on access are made and restricting vulnerable sites.
4. Robust failover to promote high availability of payments and other essential business systems
Consumers demand fast transactions, so merchants increasingly prefer using broadband to transmit card present payments. But, not only does broadband increase the security obligations for SME merchants, it also increases their dependency on one single connection. Such single points of failure can increase the potential for business disruption.
Mako has seen an increase in the demand for network redundancy and multiple failover mechanisms so that in the event of an unexpected disruption business will continue to flow.
A popular alternative connection mechanism on routing devices is 3G mobile data. If a primary connection goes down, mobile data can be used to continue business as normal. These 3G connections reduce traffic but allow priority activity to continue. As mobile data speeds improve, for example through the introduction of 4G LTE, these services will get even more efficient.
5. 4G LTE
Adoption of 4G LTE is increasing and will complement the current abilities of WiFi, giving rise to faster speeds and more traffic. This is likely to increase the use of personal devices, such as smartphones (of which worldwide ownership topped 1bn in 2012), for payment and Internet use in-store, adding pressures to the merchant environment.
Bill Farmer concluded, “In a challenging economic climate, it’s easy to consider cutting IT budgets. But instead, consider reviewing them with a view toward improving security; it may well cost a lot less than expected and could free up IT personnel for other tasks. Investing in a modern network is crucial as security becomes an increasing concern. Businesses that don’t take security seriously in 2013 could well find themselves with even larger outlays down the line.”