Small and medium-sized businesses may think they're immune to the kinds of attacks that wreaked havoc on Target last year, but they're susceptible to the same nefarious forces -- sometimes even more so, as they can lead hackers to a bigger prize.
Since the Target breach, other retailers have been affected, including Neiman Marcus, eBay and P.F. Chang's. But the Target breach was huge -- information on 40 million credit and debit cards was stolen, along with records of 70 million customers, including name, address, email address and phone number.
The breach obviously hurt Target -- both CEO Gregg Steinhafel and CIO Beth Jacob have resigned, and costs continue to add up. Cards were affected across financial institutions -- 10 percent at big banks, 14 percent at credit unions and nine percent at community banks, according to a Discover Financial Services study. Overall, 84 percent of financial institutions were impacted; after a typical data breach, that number is only 29 percent.
[ How-to: Test the Security Savvy of Your Staff ]
More directly, small businesses that keep customer cards on file to for recurring monthly charges, such as gyms, couldn't process transactions on cards that had been closed.
It's easy to think that your small business won't be affected by hackers, says Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, a research firm and think tank dedicated to advancing privacy and data protection practices. "Large companies have a bull's eye on their backs. A lot of small companies thought they were immune. It's just at small company. Who's going to hack them?"
A lot of people, it turns out. SMBs face some challenges that are the same as their larger counter partners, but some that are unique to them, too.
You Are the Company You Keep
Target's failure was a holistic one, says Mark Hammond, senior director of security consulting for Neohapsis Security Services, a security and risk management consulting company specializing in mobile and cloud security services. "One of the things that stuck out was the way partners are managed in the organization. It's not just technology. There's also people and processes filling in all the pieces of the puzzle."
Hackers used credentials from Target's HVAC company to upload malware into the security and payment's system. Target's malware detection tool, called FireEye, caught the attack, but the feature that would have automatically disabled the threat was turned off. Subsequent warnings were ignored, according to a Bloomberg Businessweek report.
This is why a small business can be a different kind of target, especially if it provides a service to a larger company. Hackers used Target's heating and air conditioning contractor as a gateway; subsequent failures on the security chain lead to a successful attack.
Poneman gives the additional example of a defense contractor client that had proprietary information stolen by hackers. "Getting into this defense contractor's system, on a scale of 1 to 10, is 100," he says. Instead, hackers focused on smaller companies that worked for the contractor and hacked their way in that way.
That's why employees and vendors are important. "You have to be a little less trusting," says Poneman. The culprit here was a janitorial service hired by the small business that worked with the defense contractor. Conduct the proper background checks -- not just for your employees, but any vendors you hire to help your business.
Stolen Data Ends Up On Black Market
Of the 40 million cards stolen, anywhere from 1 to 3 million were successfully sold on the black market. Many were used not in physical brick-and-mortar stores but, rather, on online outlets selling high-end goods such as laptops, watches or jewelry that could easily be resold, says Liron Damri, COO of Forter, an Israeli-based firm that offers fraud protection to small and medium sized online merchants.
"Fraudsters won't necessarily to back to eBay or Target or Neiman Marcus and try to use those credit cards in those systems because their systems are very strong," he says. "They will try to take advantage of those medium-sized merchants and get money out of them."
Fraud charges work differently for online companies vs. brick-and-mortar stores. "If somebody steals a credit card and tries to make a transaction, the merchant will be covered and insured by the credit card company," Damri says. "If an online merchant is processing that credit card transaction, the person who would be liable for any damage is the online merchant. They are the ones liable to 'card not present' transactions."
Credit Cards Will Get More Secure, But Only in Stores
The biggest change that we'll see in the future of credit card security, says Hammond, is a move toward the European format of chip-and-PIN. All U.S. Target stores will have chip-and-PIN readers by September, and Target will begin issuing chip-and-PIN Target REDcards by the first quarter of 2015, according to the retailer. (Like many European card readers, the new Target systems will read both chip-and-PIN and magnetic swipe cards).
[ Analysis: After Breaches, Does PCI Compliance Mean Anything? ]
Because Target is such a large retailer, this switch is already having an impact, even though their REDcards can be used only at Target stores and Target.com. According to the Discover Financial Services study, 86 percent of financial institutions plan to begin issuing chip-and-PIN cards in the next two years.
This won't be a failsafe solution, though. A side effect could be what we already see in Europe, where hackers focus more attention at online transactions. These aren't affected by chip-and-pin security, as no card is present.
"The key impact of this will be a drop in the amount of fraud in the real world," says Damri. "On the other hand, it will push fraudsters to the online world where you don't have to show the pin and where you don't have to swipe the card."
Fail to Plan and You Plan to Fail
In such a complex threat environment, all companies need an Incident Response Plan, Ponemon says. "If you're a small company ... in Tornado Alley, you probably have a plan if your plant is hit by a tornado. It doesn't happen very often, but you're prepared for it."
In the same way, your company should have a plan in place in case fraud happens. This plan should include your immediate response, including which employees will do what, as well as regulatory information about what you need to disclose when. (Your state's attorney general has this information.) "You should run fire drills to make sure you're ready," Ponemon adds.
This might not seem like much. It might even seem silly. But a poor response to a data breach could be huge. Already, the average data breach costs a company $3.5 million, according to an IBM study that was conducted with the Ponemon Institute. Not having a plan raises those costs 10 to 15 percent, Ponemon says.
You can also hire a consultancy such as Neohapsis to help draft an Incident Response Plan and also conduct penetrating testing to see how secure you really are. If you're an online merchant, meanwhile, companies such as Forter will take the liability issue away from you, deciding which transaction are legitimate and which are fraudulent and assuming the cost of the fraud if they're wrong.