‘…Because That’s Where the Money Is’
These were the words supposedly uttered by the infamous bank robber Willie Sutton when a reporter asked why he robbed banks (although Sutton later denied ever saying this). Throughout history, it can be implied that this is the reason that any bank robber, or other thief, would target a specific location.
Today, this rings true even in the cyber world where we see the computer networks of merchants breached on an almost daily basis. It is a high tech cat and mouse game which has very real world consequences for the victim business both financially and via reputation. In fact, statistics tell us that one in five businesses fail as the result of a data compromise. The suspect, on the other hand, has a much lesser risk of even being identified or apprehended which is one of the reasons why cybercrime is so prevalent.
You may have read about the Target breach that occurred during the holiday shopping season which, at the time of this writing, amounted to the compromise of approximately 70 million records (credit card numbers, customer information, etc). It was also disclosed that the way in which data was stolen from Target’s computer network was via malware (malicious software) called RAM scrapers or memory parsers. These types of tools allow attackers to “scrape” credit card data while it momentarily rests unencrypted in a computer’s or POS system’s RAM memory without effecting the legitimate sale transaction. This can be done even if the merchant does not store the credit card data long term. We sometimes refer to this as intercepting data in transit or while it is moving.
When we look at the reasons behind many computer network breaches, we often see the same reasons repeatedly. They are: passwords that are too simple and can be easily “brute forced” or guessed with dictionary based password guessing software, or improperly configured remote access (such as for bookkeeping) in which the remote access software may still have the default password enabled.
If you own or run a small or medium business (SMB), you may not think of your business as a target (no pun intended) for hackers, but the opposite is actually true. In fact, most industry statistics tell us that over 90% of current breaches are to SMBs. We often see hackers looking for the path of least resistance and this is often SMBs due to the perceived notion of lesser security. After all, if you were a bank robber, would you rather go after Fort Knox, or a small financial institution that likely doesn’t have as many levels of security in place?
So you may be asking “how can I reduce the chances of my business getting breached?” The answer is through PCI compliance. PCI is a data security compliance framework that was built and is maintained to help merchants secure their computer networks against credit card compromises. It is not a guarantee that your business cannot get breached, but it represents the minimum best practices based on the current threat environment. Depending on how you accept credit cards and how this data may flow through your computer network, achieving PCI compliance may have certain challenges and may require technical assistance, but it is effective at its goal of protecting credit card data. Like many compliance frameworks, PCI is designed to help reduce your risk – by reducing the chance of a computer breach.
Wind River Financial runs a program called PCI Partner in partnership with Trustwave, a data security company, which helps our customers achieve and maintain PCI compliance to reduce data breach risk. This is done by working through a compliance questionnaire on a web portal. This process helps identify any vulnerabilities or weak spots in your computer network or in business practices. In addition, we also provide Breach Protection which offers up to $100,000 in recovery if your business should experience a data breach. All of our customers have Breach Protection unless they have opted out. We encourage you to take the time to get through PCI validation and make security business as usual. Don’t be easy prey for hackers that are just looking for an easy target.
As a last note, Visa had a great video that was produced for their 2013 Global Security Summit related to the challenges of securing technology in a global environment. You can view it on YouTube here.