Five Ways That Small Businesses Risk Customer Data

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.businessweek.com/articles/2014-03-14/five-ways-that-small-businesses-risk-customer-data

Data breaches and cyberattacks have dominated the news over the past
several months, embarrassing such big companies as Las Vegas Sands (LVS),
whose casino in Bethlehem, Pa., was attacked, and Target (TGT), which
suffered the biggest retail attack in U.S. history.

Hackers don't just go after multinationals. Smaller companies are often
prime targets for attackers looking to exploit vulnerable security systems,
says Kevin B. McDonald, executive vice president of computer network
management company Alvaka Networks. Entrepreneurs may also be snagged by
hackers who cull through a wide swath of computer IP addresses looking for
weaknesses.

"The first step to defense is eliminating denial," McDonald says. Here are
five areas in which entrepreneurs should wise up and increase their
customer safeguards.

Off-line practices. State-of-the-art online security won't protect against
terrible office practices, like passing around order forms with credit-card
numbers and other customer data. "Many breaches occur right in the office,
just due to bad data-protection policies," says Scott Sanfilippo,
co-founder of Solid Cactus, an e-commerce consulting company. Any employee
who writes down a customer's credit-card number on a piece of paper,
crumples it, and tosses it in the trash is putting that customer at risk.

Employees. Train workers regularly to identify and avoid such common scams
as phishing attacks, says Will Pelgrin, chief executive of the nonprofit
Center for Internet Security. Establish a written security policy that
governs employees' day-to-day activities on company computers and accounts
so they don't inadvertently invite intruders into your network.

Mobile. Don't forget employees' tablets and smartphones, which are
increasingly being used for work. "The perimeter has dissolved, and
security protections are dependent on each user with a mobile device,"
Pelgrin says. Every device should have anti-virus and anti-malware software
and commercial-grade firewalls installed, McDonald says.

Hardware safeguards. Does your company collect customers' names, addresses,
and dates of birth (maybe to send them birthday deals)? If so, you've got
enough information for an impostor to steal that customer's identity. Don't
keep any data you don't legitimately need, and make sure you're guarding
that data responsibly. Start with good password policies and encryption
software on all your computer hard drives, says Jonathan Hirshon, a privacy
advocate and principal at high-tech marketing agency Horizon
Communications. He recommends software that meets what's known as the
advanced encryption standard, which can be downloaded free from sites like
TrueCrypt.

Passwords are also common weak spots. "If you use a single word as your
password, it's hackable in under 20 minutes--maybe under 10," Hirshon says.
Instead, use a pass-phrase that consists of several words, at least one
number, and one special character. "Something like,
'Ilikewatchingchannel5!' is much more difficult to hack," he says. Better
yet, password managers such as 1Password or LastPass let you generate
random, unique passwords for different sites without having to remember
each one.

Cloud protection. With companies increasingly moving to offsite data
storage, you should be sure that your data in the cloud is protected. "Use
an offsite data-backup provider that is keeping your data encrypted in more
than one location, and [make sure] that their security is strong enough for
intruders not to get in," says Jennifer Walzer, chief executive of online
data backup service Bumi. Ask questions before hiring a cloud service
provider, Pelgrin says: "What measures are in place to protect data? Who
has access to the physical machine hosting your data? Where is that machine
located?"

When it comes to online financial transactions, McDonald recommends that
small businesses consider using services such as PayPal (EBAY). "If it's
set up properly, it can dramatically reduce your exposure and shift much of
the cost and effort of compliance" off your company, he notes.

A thorough risk assessment will help you identify security gaps in your
company. McDonald recommends A Guide To Conducting Risk Assessments (PDF)
from the National Institute of Standards and Technology. "Be honest and
thorough in this process," he says. "Failure to identify obvious risks not
only puts the data at risk, but also can lead to punitive damages if you
are later found to have been neglectful."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!