With Black Friday and Cyber Monday on the horizon, companies of every size are preparing to kick off the holiday shopping madness. Small businesses in particular often see a large portion of the year's revenue generated during this end-of-year melee, with fabulous deals and holiday consumers colliding in a spending spree like no other.
But thieves anticipate to this time of year, too. The amount of money changing hands—and going through potentially vulnerable networks and systems—makes a tempting bull's-eye. That's why you should tighten your small business defenses to ensure your holiday season isn't squashed by a cyber grinch.
Protect Your Small Business POS System
Point-of-sale (POS) systems are the primary data-transfer point for in-store customers. Unfortunately, they're also a prime target for attackers anxious to get their hands on all those credit card numbers. Physical POS terminals have been compromised in the past, but coming in through a connected back door is often more lucrative for criminals. It's a route that lets them siphon data from multiple machines and to more easily cover their digital tracks.
Simply determining whether your POS system has application vulnerabilities—let alone addressing any security gaps you do find—can be a real challenge. Many big companies scan their applications for weaknesses, but Andrew Shea, vice president of information security consulting firm Conventus, says most small business owners don't have the resources for that.
"Requesting (demanding) a copy of the most recent application scan of the POS application from the vendor may yield helpful information," he suggests. It isn't a perfect solution but it might be enough to enable you to plug the most exploitable holes. When time and budgets allow, small business operators may also want to look at ways to conduct a deeper dive into the applications used to process and store the most valuable data.
POS Security: What to Do Right Now
As you gear up your business for the Black Friday onslaught (no doubt with few resources to spare), Shea says that certain POS-related security measures should be at the top of the priority list.
"Scrutinize any out-of-the-ordinary requests from any of your service providers or software owners, and be sure to pass that on to the store level," he says. Carefully vet any requests—particularly those for adding new users, expanding privileges or changing passwords—before you accommodate them. You don't want to give an attacker an easy way into your network.
In addition, Shea encourages small business owners to "[t]urn on any tools that have intrusion prevention in a monitoring mode." Endpoint server and network tools often have some level of monitoring capabilities that indicate that an attempted compromise has been detected, so use them.
Small Business POS Security Resources
- If your SMB processes credit card data, the PCI Security Standards Council has all the details on PCI security, standards and compliance.
- Need a better way to store and manage passwords for POS system administrators? Both Vault and LastPass offer affordable solutions.
Small Business Network Security Takes Center Stage
In many small businesses, a POS system is just one of many assets in a larger connected structure of applications, servers and other infrastructure components. That means overall network security is vital. Last year the monumental Target attack—which occurred at the height of the holiday shopping season—involved not only the retailer's POS system but also a vendor connection that turned out to be less secure than originally assumed.
Make sure that you handle your most sensitive information appropriately. That means providing protection not only at the POS terminal, but also while the data is in transit. "It's critically important for ecommerce business owners to transmit this data in encrypted form using SSL (Secure Sockets Layer)," says Troy Cox, director of product at ecommerce solutions provider Bigcommerce.
If you're using an ecommerce platform, Cox advises checking with your vendor to confirm they're encrypting "all information involved in the checkout process, including but not limited to credit card information." In addition, look for a solution that performs automatic fraud checks prior to approving and processing payment card transactions.
Brian Burch, vice president of global consumer and small business marketing at Symantec, offers his thoughts on other network security threats facing small business owners.
"Small businesses owners should familiarize themselves with common attack methods, including spear-phishing emails, exploit of unpatched systems and software, and crypto ransomware. And they should take preventative measures to secure themselves against these threats this holiday season."
Spear-phishing, another name for those suspicious emails that show up periodically, can compromise an entire network if employees aren't careful to avoid clicking the links contained within. Software that's out of date is practically an open door for attackers. And ransomware, such as Cryptolocker and others, encrypts a small business's data. A criminal then demands ransom to make the information readable once again. You don't want to face any of these threats if you can avoid them.
Small Business Network Security: What to Do Right Now
The crucial first step toward avoiding hackers and thieves: ensuring that systems and applications are up to date on the latest security patches. "The holidays are a perfect time to update security software and operating systems," Burch says. "This protects against recently discovered vulnerabilities, as well as the increased likelihood of attack that comes with the holiday shopping season."
He also encourages small business owners to be mindful about who can access the company's data sets. If you've hired new employees, or if an employee has left the company, be sure to make any necessary changes to network authorization credentials.
While security is on your mind, it's also a good opportunity to bring employees—new and existing—up to speed on data protection best practices. "Small business owners should clearly define expectations for how employees handle customer data, from requiring password use to maintaining up-to-date security software on all devices," Burch says. You can also ensure employees know to avoid suspicious or unknown links, websites and applications.
As you apply your limited resources in the most effective way, you may want to prioritize the most valuable data you hold. "Make sure you aren't storing credit card information," Cox says. "If you are, make sure it's properly encrypted and that only the appropriate employees have access to it."
Another facet of credit card protection means confirming your SSL certificates are valid and properly configured. In addition, Cox suggests performing a vulnerability scan. It can be a useful method for narrowing down where to focus security efforts for best effect. Tools are available that allow SMBs to conduct these scans on their own, or a third-party scanning service can also be used.
Small Business Network Security Resources
- You'll find SMB-friendly, third-party security scanning solutions through Qualys and WhiteHat Security.
- If your small business owns a lot of smartphones and tablets, a mobile device management platform may provide better security for devices that connect to the network. Both AirWatch and MaaS360 offer free 30-day trials.
Julie Knudson is a freelance writer whose articles have appeared in technology magazines including BizTech, Processor, and For The Record. She has covered technology issues for publications in other industries, from foodservice to insurance, and she also writes a recurring column in Integrated Systems Contractor magazine.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|