5 Ways Businesses Can Protect Themselves Against Cyber Criminals
The consumer and retailing landscapes in the UK are becoming increasingly reliant on digital solutions to handle sensitive customer and operational data. The average British consumer is progressively purchasing goods and services with digital payment solutions as opposed to cash. Some businesses are adapting to this change by adopting point of sale (POS) systems and technologies that allow them to collect data about their customers and accept a variety of payment solutions, such as contactless payment cards and mobile wallets.
This development is, for the most part, positive. Businesses can improve their customer turnover time, reduce costs and remain competitive. All while making it easier, more flexible and safer for consumers to buy goods and services.
The Dark Side of Digitisation
There is, however, a shady aspect of the digital revolution, one that is proving to be an extensive challenge for businesses in the UK. The adoption of digital solutions has made cybercrime an attractive activity for domestic and international hackers, as well as organised crime groups. Cyber criminals are constantly looking for new ways to get their hands on valuable data that can be sold to third parties.
Overall, the value lost to fraud in the UK is on the rise and with over half of all fraud taking place online there is an indication that criminals are turning to digital opportunities.
According to the Information Security Breaches Survey from 2014, commissioned by the department for British Innovation & Skills (BIS), both large and small businesses are affected by security breaches. Just over 70 percent of respondents were breached and their business suffered as a result.
Many businesses have prioritised cybersecurity in the past few years, and it is clear why. There is a growing need to protect customer data and maintain a reputation as a company that takes security seriously. However, not all businesses seem to share this sentiment. With the rise of commercial digitisation and the ensuing surge in digital fraud, there is a growing cybersecurity skills gap that is leaving companies exposed to a series of security risks.
It is apparent that not all businesses are aware of the consequences of weak data management policies. There is clearly more that can be done to reduce the risk of cybercrime- businesses should hire security professionals and implement standards and policies that minimise security risks.
Point of Sale and Data Theft
According to Euromonitor International, the number of POS systems being used by the UK is growing. Aside from processing payments, POS systems can serve a variety of functions that capture information about customers, such as customer loyalty programmes. These customer loyalty programmes may store personal information that, if stolen, could be used to steal identities and access financial accounts.
Businesses that digitally handle and/or store customer data are always at risk of being infiltrated by criminals that are on the hunt for identities and financial data. Software as a service (SaaS) solutions for administering corporate operations - a type of cloud computing - are also at risk of corporate espionage. This is especially so if SaaS solutions are used to handle valuable research and development documents.
The cost of employing an outdated POS system with weak security features can be huge and far reaching. The overall cost of cybercrime is constantly rising and businesses risk suffering a series of costs if they are infiltrated. Hacked businesses usually face remediation costs, financial losses as well as indirect costs to brand loyalty, this is especially so for larger firms that rely heavily on the strength of their brand.
The Mobile Age
As consumers are becoming more connected and adopt smart mobile devices, they will inevitably make use of mobile commerce, also known as m-commerce. As companies adapt their systems to connect with mobile customers, cyber criminals are increasingly looking for new ways to exploit weaknesses in mobile software and networks.
Cyber criminals may target mobile devices to extract authentication information that can be used to access financial institutions and corporate networks. Mobile devices can be infected through the use of malware that has been installed voluntarily by the devices owner. A compromised device that connects to a corporate network can then be leveraged to penetrate a business and potentially access sensitive information and customer data. Businesses that have a BYOD (bring your own device) policy are especially at risk of mobile based attacks.
Cybersecurity Best Practices
There are several ways that cyber criminals can penetrate a system. According to Duosecurity, the top three methods that are employed to hack POS systems in the UK and US include: brute force, the use of stolen credentials and offline cracking. Furthermore, according to BIS, just under half (47 percent) of security breaches in 2014 were due to “incidents caused by staff”. Social engineering tactics and spear phishing attacks can provide criminals access to corporate networks where they can use existing credentials to control networks and access digital assets.
Once a POS system has been penetrated, perpetrators can install a series of malware tools that can be used to extract retailer administrative data and consumer payment data. A common problem is that businesses are overconfident about their ability to identify and handle breaches. The average time that it takes to discover breaches in 2014, according to survey data collected by Tripwire, is 229 days, while 85 percent of POS intrusions can take weeks to discover.
What can British organisations do to mitigate the risk of cybercrime? Industry experts and governmental institutions recommend employing best practices that are typically based on one of many international standards, the most common being the Payment Card Industry Data Security Standard PCI DSS and ISO/IEC 27001. These solutions will have the biggest impact when implemented with a compliance policy that makes sure that new regulations are followed.
Five policies that any business can implement are as follows:
1. Ensure that all employees use strong passwords and default passwords are changed on new systems, especially payment card terminals.
2. Use two factor authentication (2FA), also known as multi-factor authentication, where possible. 2FA should always be used when connecting to a system remotely.
3. Make sure that POS systems are only used for handling POS tasks (inventory management, payment processing, etc.).
4. Restrict remote access to POS systems and only use authorised devices and operating systems on a network.
5. Keep all operating systems up to date and conduct regular security audits.
Robust Cybersecurity Policies
Cybercrime is highly lucrative and hackers are unlikely to be prosecuted, let alone caught. Businesses in the UK appear to be confident in their cybersecurity competencies and this perspective can at times be unrealistic and careless.
While the majority of companies are certainly capable when it comes to protecting their digital infrastructure, there are many that do not follow basic security standards. Retailers are especially at risk as any customer data that they process is highly valuable to criminal organisations. Retailers should regularly review their security practices and policies as well as the POS hardware that they use.
Sources: Euromonitor, a market research provider, Tripwire Inc., Duosecurity, Sophos, the department for British Innovation & Skills (BIS).