Data Encryption And SMBs – The Smaller You Are, The Greater The On-Line Threat.

Many of the stories covered in the media regarding data and security breaches involves companies that are large, usually Fortune 500, maybe Fortune 1000.  We must not forget, however, that any business needs to practice proper security when it comes to customer data.


For example, the Boston Globe covers today the theft of customers’ credit card data at Not Your Average Joe’s, a restaurant chain based out of Dartmouth, Massachusetts.  This chain is small by most measures, with 13 restaurants in Massachusetts and one in Virginia.  Based on an ongoing investigation, about 3500 customers were affected, most of them patrons at their Hyannis restaurant.  This is despite Not Your Average Joe’s having proper security measures in place.  The Secret Service has gotten involved, and they think that there was an internal security breach, although restaurant management believes that none of their regular personnel were involved.  They have hired a forensic expert to dig deeper into the issue.


The above situation, while unfortunate, is not unusual.  Based on a recent report, small and medium businesses (SMBs) are unprepared for cyber crime; indeed, the word “sitting duck” was used to describe their preparedness.  In most industrialized countries such as the United States, SMBs make up 97 to 99 percent of all companies.  Yet, because these companies are much smaller than Fortune 500 businesses, they cannot afford the full-fledged IT staff that large companies can.


Before you start wondering whether SMBs would require an IT staff—of either one or more—you must take into consideration that a lot of companies now take and make payments over the Internet, which involves a computer (obviously).  This alone means that SMBs face the same threats at larger companies do.  Personally, I think the threat is higher, since SMBs usually deal with one customer at a time, and end up collecting more credit card numbers and customer information than companies such as Ford Motors would.  The latter is a bigger company, but in terms of checking accounts and credit card numbers to be protected, Ford probably numbers well below that of Not Your Average Joe’s.  For example, the Massachusetts restaurant chain served over 350,000 customers in August and September alone.  If half of them are return customers, it implies 175,000 new customers over two months, or nearly one million new customers every year.  Ford’s list of vendors and dealers is probably smaller than that combined.  Couple that huge amount of data with the little emphasis on data security, and you’ve got a potential nightmare on your hands.  Especially for small businesses.  Especially for a restaurant (great restaurants go under for fickler reasons.  Patrons who are victims of identity theft would have a valid reason for fishing out their Zagat surveys at lightning speed).


The danger to SMBs doesn’t lie only on appeasing customers, however.  A court filing by Visa in the TJX credit card security breach case shows that credit card companies have gotten better at identifying instances of fraud, and the original source of the credit card breach.  In other words, the credit card companies can tell that their loss—issuing new cards and other costs—can be traced back to a particular business.  One has to wonder what will be the effect if fraud can be traced back to a security breach at a small business?  With potentially hundreds of thousands of credit card information and customer data, would the business survive if Visa or MasterCard decided to ask for reparations?


What can SMBs do to minimize such threats?  To begin with, they must ensure that the computers they use for Internet transactions and recording other sensitive data remain secure.  The best thing to do is to set up firewalls and only visit those particular sites for transacting business only.  Sites such as Hotmail or Yahoo!Mail should be blocked as well, in case an employee tries to check his e-mail from the same computer and unleashes a storm of malware by mistake.


Also, make sure that only people involved in making charges can access the computer.  This can be done by securing the computer with a password.  In order to make sure that the password does not get passed around, specify which users can access a computer and give those users the ability to change their own password.  Using a service such as AlertBoot, SMBs can easily create user profiles with the authority to access devices as necessary.  The users can also specify their own password, and these can be used successfully across all devices, meaning employees don’t need to remember multiple passwords for separate devices.  If the password is changed, it would be changed for all devices automatically as well—less administrative work for all involved.


For computers with sensitive data, SMBs might also want to start using white lists to specify which programs are allowed to run on a computer (Internet explorer, with firewall, yes; pirated copy of Solitaire, no).  This way, if a Trojan horse or a virus, or some nefarious application running in the background, is deployed without your knowledge, it will fail to execute since it’s not part of the white list.  While legitimate business sites are safe for the most part, they are not completely failsafe, as revealed in the security breach.


Application control is different from running antivirus and anti-spyware software.  As everyone knows, such software is not preventative but reactive—the software does its job once the experts identify and determine that there is spyware and viruses to be blocked and destroyed; prior to that, the virus is free to roam your computer.  The use of application control with white lists is preventative in nature.  Since it severely limits the use of the computer, it’s great for controlling and maintaining the security of computer being used for financial transactions and legitimate business only.  With AlertBoot the hardware ports found on computers can be deactivated on a per user basis as well.  This way, the business owner can hook up a USB drive to the computer and copy files, whereas the accountants with limited rights cannot.


Last but not least, any business owner with sensitive financial data, relating to the business itself or to customers, will probably want to have their computers encrypted.  After all, theft of electronic equipment happens all the time.  If somebody physically lifts your computer and takes it out of your business premises, just a simple password might not be enough to protect your data.

Comments (0)

Let us know what you think