With EMV chips making face-to-face card fraud harder to pull off, crooks will have one extra motivation to go hunting (and phishing!) online. If the cyber attacks on Target and Sony last year taught us anything, it is that businesses need to be more proactive in deploying a data protection strategy.
Last year’s attacks on Target, Home Depot and Sony have put data security (once more) on the public spotlight. The common thread? All three heists were executed in the cybersphere. Now, with EMV chips making face-to-face card fraud harder to pull off, crooks will have one extra motivation to go hunting (and phishing!) online. Not that businesses should go on “THE END IS NIGH” mode, but this is their opportunity to be proactive and review their data protection strategy.
In more than a decade providing armor-plated payment solutions for our partners, we have noticed 4 things that the most security-conscious businesses do to avoid losing millions to data theft. Here is a quick summary of them:
1) Education, education, education.
It is in the culture of these companies to train their employees on security best practices. When done often and relevantly, security training enables insiders to identify the mistakes that lead to data theft and to avoid them. Employees in these companies are very competent in flagging possible malicious behavior and are aware of how criminals carry out their fraudulent operations. This is particularly important, given that one of the biggest causes for a data breach in 2014 was human error, according to an independent report by Ponemon Institute.
2) Have an encryption policy in place – and enforce it.
Apart from the zillion pictures of food and cats, there is usually a lot of sensitive information stored in employee’s laptops, cloud accounts or mobile devices. If any of these get stolen, your company may be at risk of a security breach. One very clever thing these companies do is make sure that all files and/or drives containing sensitive information are encrypted. Also, employees are required never to connect company computers via an open wireless network (in airports or public spaces); never to reuse the same password and username on different accounts and websites, and to always notify the organization immediately if their device is stolen or lost.
3) Deploy a system monitoring program and block drive-by downloads.
Your company should be able to monitor employee’s online activity and block sensitive content from leaving your network. Data Loss Prevention (DLP) technology allows you to set security rules that get applied to every single computer on the network so you don’t have to do it one by one. More importantly, drive-by downloads should be avoided like the plague. They normally happen when employees click on a malicious link from a phishing e-mail or visit a compromised website where they end up unwittingly revealing sensitive information or getting harmful software installed. To avert this, the companies we’re talking about have a list of trusted websites and only downloads from these sites are permitted. Yes, that means less of those hilarious Frozen spoof videos, but it does make a world of difference for network security. After all, it was reported that the Target breach was caused by a phishing e-mail.
4) Make sure your merchant service provider is PCI-DSS compliant and offers tokenization for online payments.
The first bit means that any payments made by your customers must be subject to the necessary standards of data protection. The cyber attack on Target raised serious questions about its status as a PCI-compliant company, so this is something to consider. In online shopping, where a customer’s card does not need to be physically present, extra measures must be taken in ensuring no one but the owner is making purchases with that card. As we said, EMV won’t do anything to reduce credit card theft online. Tokenization is one cost-effective and secure way to protect customers from falling prey to data theft. Through this process, sensitive data is rendered unrecognizable and processed via a separate system from the one thieves normally target, and no card data is actually stored in the process.
We hope these four recommendations can help your business provide its customers the safety they deserve. If you have any questions about card data security or need assistance making your payments more secure, call our office anytime and we’d be happy to help.