A New Year often means new beginnings, but 2017 may also be a new chance for hackers to target retailers – who are often a prime target for easy cash. CERT Australia was notified* of nearly 15,000 cyber security incidents affecting Australian businesses from June 2015 to June 2016, with ACORN reporting** an overall $1 billion of self-reported losses for individuals and small businesses. Luckily, there are plenty of simple ways to improve retail security to protect both retailers and customers that won’t break the bank.
1. Chip readers, the first step for protection against fraud
If you don’t have one, you’re not alone. A startling number of small businesses don’t have the latest point-of-sale (POS) gear that reads the newer style of payment cards with chips (EMV). Australians spent $703 billion on their cards*** over the 12 months to 30 June 2016, but of this, a total $521 million was fraudulent. Getting aboard the chip card train not only increases your protection against fraudulent shoppers, it also improves your security profile as chip readers can provide scammers with a good indication of your overall “hackabillity”.
Also, note that many of the hacks start with the remote management software used in POS equipment, so make sure that this is protected, too.
2. Say goodbye to your faithful old router
One of the most common attack points nowadays is your broadband router. More than just a device for directing digital traffic, it also does a lot of firewalling by blocking dangers and threats from creeping into your office and spreading to other devices. If you’re taking all practical steps to keep the OS and applications on your devices up-to-date and have security software installed on each of them yet your computer is still infected, it could be time to say goodbye to that 10-year-old router. New mid-priced routers often have good firewalls with the latest threat detection built in, and you can pick them up for just a couple hundred dollars.
3. So you’ve been hacked…
Unfortunately, most retail businesses don’t have a disaster recovery plan,**** or if they do, it’s rarely updated and no longer relevant to half of their new equipment. However, having a plan is better than nothing and can minimise the risk to your business in the event of payment card theft. If you can prove that you took some basic security steps, your part of the bill could drop significantly in the event of a hack.
If, on the other hand, you don’t have a basic plan, the costs could be staggering, and that doesn’t even include costs associated with loss of reputation. A prime example is the hack against Australian domain registrar and web hosting service Distribute.IT***** in 2011, which virtually destroyed the business overnight.
4. Have a techie friend or an accessible security expert
It might be as simple as having someone who knows the tech and the right tools, and can explain it to real people. As an owner you’re probably the only one who sees the business unit as a whole and therefore understands where it needs protecting. You need that same perspective when it comes to protecting your business digitally – someone who gets the big picture and can recommend what’s best for your specific situation. It is also always good to have a security expert on hand for questions, especially when you’re starting up.
5. Update, update and update — preferably automatically
Automation is key: unless you want to spend every night reading security mailing lists and applying patches manually, you have to automate updates in order to ensure you always have the latest defences against the latest attacks. In fact, a business does not need to be terribly large for a patch management system to be worthwhile, and these will monitor and alert you to systems that are not suitably up-to-date, or even enforce patching, for common OSes and applications.
Your job is to run a business, not run all the security updates to stay safe. So find software, firmware, and hardware that keeps up. This includes everything from your endpoint security and mobile devices, to your physical security system on the doors and windows. Security changes fast, so make sure your business does as well.
The good news is that it doesn’t always have to become an expensive process. A modest spend and some common sense will have your business secure and ready for the digital world in 2017.
* https://www.acsc.gov.au/publications/ACSC_Threat_Report_2015.pdf
** https://insidesmallbusiness.com.au/planning-management/is-your-small-business-at-risk-of-cyber-attacks
*** http://www.apca.com.au/docs/default-source/2016-Media-Releases/apca-releases-interim-payments-fraud-data.pdf
**** http://www.welivesecurity.com/2015/06/25/recover-hack/
***** http://www.smh.com.au/technology/security/4800-aussie-sites-evaporate-after-hack-20110621-1gd1h.html
Nick FitzGerald, Senior Research Fellow, ESET
