For businesses today, taking credit cards and storing information on a computer is a normal practice, though is data security? In today’s world, it isn’t “whether you will be hacked”, it’s more a matter of “when will you be hacked”. We’ve seen a number of companies hacked over the last few years and their client data compromised. The most recent larger company is Caribou Coffee.
According to the Data Security Notice they published on December 3, 2018 (17-days before alerting the media), 265 Caribou Coffee shops around the nation were actively being hacked from August 28, 2018 through December 3, 2018 with their customer’s credit card information being stolen right from their Point of Sales terminals! This issue was first detected on their network on November 28th, but wasn’t stopped for 5-days after… and 97-days after the first signs of the hack! The sad part is… this isn’t abnormal.
Companies of all sizes need to be mindful of this
Companies of all sizes are at risk of being hacked and exposing their customer’s private data, from 1-person sole proprietors to companies with thousands of employees and a dedicated security department. It is not a matter of “if you will be unlucky enough to be hacked”, but “when will you be hacked and how can you slow them down”. As an example, our company on any given day has seen, on a slow day… 1 or 2 hacking attempts, to literally hundreds of hacking attempts on a particularly busy day… and we’re a very small local business. Luckily, we are very mindful of digital security. Hackers will not stop… because the information to them is valuable, and to be honest, it’s surprising that we don’t hear about more companies being compromised.
But I don’t store credit card data on my computer, I type it into my online processor: There are things called screen recorders, keyloggers, and the like that easily bypass any security you think you have with not actually storing this data on your system(s).
But I don’t store customer data on my computer, everything goes into XYZ online drive: Again, there are things called screen recorders, keyloggers, trojans/remote control software that makes any security that your online data storage provider completely moot.
I’m too small for them to care about: We’re a 2-person shop, and as we have already stated, we see between 1 to hundreds of hacking attempts a day on our internal network (that’s not even including our websites). Think about it this way — they can be attacking multiple “places” at the same time, they have no clue how big or small you are, and honestly, a smaller business or consumer is a better target for them because you’ve likely implemented fewer security measures for them to have to jump through and a lot less likely to be caught or stopped.
I don’t save any personal data on my computer: You’ve never logged into your email? The amount of personal data just included in your email, for most, is astounding and most don’t realize how much their email contains. Additionally, many sites send a password reset link to your email. They can also use you as a stepping stone to everyone you know and love.
I have bad credit/don’t have any money, so it won’t do them any good: You could have worse credit or less money. They can also file fraudulent tax forms on your behalf. One way to think about this also… do you have the time to deal with the hassle of your life being turned more upside down and more drama?
Ways Businesses can slow their chances of being hacked and compromised
Some people might think “Well… if a large company can’t protect themselves… why would I even bother trying?”. My response to that is “Well… part of the unwritten social contract of you being in business is that you will do your best to protect your clients and customers data that they have given you. It doesn’t matter if you are a healthcare company governed under HIPAA, or a hobby business making candles and jewelry. You need to do your part and not be grossly negligent with their information.”
You must have a good, active, up-to-date anti-virus system on your computers — Windows, MacOS, Linux, phones, and other digital devices. There is not a system today that is immune to viruses and malware.
Make sure you have an active firewall.
Make sure you have all your system updates installed! (You’d be surprised at how many people we’ve seen that don’t… including businesses). If you suck at applying updates to your computer — pay a company to do it for you. (just make sure they are reputable, have good employment practices, and someone you can trust with everything… because they will have open access to your system).
Don’t just willy-nilly be installing different programs and apps (i.e. games, tutorials, etc) on your computers or phones. Research first: is this a good, reputable program and company that made this? You thought “fake news” was bad… bad programs/apps are worse.
Make sure you are applying updates to your devices in a timely fashion. This goes for ALL devices. Keep in mind, phones are the most notorious for crappy security, and security updates have been known to be delayed months (that is if you ever even get that update from your provider).
Your business and home networks should have a network security appliance. Your run-of-the-mill, ever day router will not cut it anymore. Some nice, affordable ones for home users and businesses are ones like the Bitdefender Box 2 ($179-$250), the Unifi Security Gateway ($99-$140), the Netgear AC2300/N7000P with Netgear Armor ($160-$200). There are other options as well, some are less expensive, some are more expensive. Some have more features, some have less. For our business, we employ multiple different practices, not just one. Reminder: you will need to login to these devices (in most cases) to check for updates, etc! Next — these devices (modem, router, etc) should be in a locked cabinet, room, etc with limited access.
Take your computer into a professional at least once or twice a year to be inspected. We offer this as our “Tune-Up service” but it’s way more than just speeding up your computer.
Never ever let someone you do not know and trust touch or remotely access your computer or device. Some hacks take less than 5-seconds to implement when having direct access to a device.
Regularly scheduling security scan(s) of your device(s). For personal devices, it depends on how often you use that device. For businesses, scans should be done at least daily, if not more.
Do not let employees “Bring-their-own-Device”. This is a horrific practice all in the name of saving money, and you’re just asking to be hacked. On that note, if at all possible (this can be very tough for a small business, and possibly impractical), separate personal and business. If possible, have separate personal and business devices (including phone), and email. Only do personal stuff on personal devices, and only business stuff on the business devices. Additionally, have different passwords.
If it is a mobile device, it should be encrypted.
Realize, this is not an all-inclusive list, and this is an ever-changing field of engagement. This is only to help give you a stepping stone to give you some concept of how to protect yourself and customers.