How to keep your customers' information secure when taking payments online
Since the global pandemic, cyber criminals have become ever more creative as we’ve relied on technology to manage both our personal and professional lives. Businesses are adding systems into their IT networks to support remote work, enhance the customer experience, and generate value, all of which creates potential new vulnerabilities.
Business intelligence firm UpCity surveyed 600 business owners and IT professionals on their 2022 cybersecurity plans, priorities, and budgets and found:
Only 50% of U.S. businesses have a cybersecurity plan in place, despite a record year of breaches
Of those, 32% haven’t changed their cybersecurity plan since the pandemic
The most common causes of cyber-attacks are malware (22%) and phishing (20%)
Cybercrime cost U.S. businesses more than $6.9 billion in 2021, and only 43% of businesses feel financially prepared to face a cyber-attack in 2022
Smishing (cyber attacks using SMS) attacks more than doubled in the US in 2021, while in the UK over 50% of lures were themed around delivery notifications. In addition, cyber criminals initiated more than 100,000 telephone-oriented attacks a day.
Australian businesses are not immune to cybercrime attacks. Over the 2020–21 financial year, the Australian Cyber Security Centre (ACSC) received over 67,500 cybercrime reports, an increase of nearly 13 per cent from the previous financial year. This adds up to one report of a cyber attack every eight minutes. And the dollars are not small - self-reported losses from cybercrime cost Australians more than $AU33 billion last year. Globally, the pervasive cyber threat is predicted to cost $US10.5 trillion a year by 2025.
Not surprisingly, fraud, online shopping scams and online banking scams were the top reported cybercrime types.
With statistics like those, it’s more important than ever to make cybersecurity and safety measures priorities for your business. No matter the size and scale of a cyberattack, the effects can be potentially catastrophic for your business. Here are some important steps you can take.
Step 1 - Know the risks
Familiarise yourself with how these attacks are carried out to minimise these online threats.
Malware - Software that performs a malicious task on a target device or network, e.g. corrupting data or taking over a system.
Phishing - Tricking an email recipient into disclosing confidential information or downloading malware by clicking on a hyperlink in the message (or “smishing” if this is done via SMS).
Spear Phishing - A more sophisticated form of phishing where the attacker learns about the victim and impersonates someone they know and trust.
“Man in the Middle” (MitM) attack - Where an attacker intercepts an electronic message, perhaps changing them in transit. The sender and recipient believe they are communicating directly with one another.
Trojans - Trojan is a type of malware that enters a target system looking like one thing, e.g. a standard piece of software, but then lets out the malicious code once inside the host system.
Ransomware - An attack that involves encrypting data on the target system and demanding a ransom in exchange for letting the user have access to the data again.
Data Breaches - A data breach is a theft of data by a malicious actor. Motives for data breaches include crime (i.e. identity theft), a desire to embarrass an institution and espionage.
The effects of these attacks can range from financial loss, like the theft of money and financial information, to business loss, like reputation damage and significant downtime while you recover.
Education and vigilance are important. Make sure you educate employees about the risks of social engineering. Often users, clicking on something they shouldn't, leads to infection.
Step 2 - Have a plan
Firstly, ensure you have security standards in place to protect your customers and your business. The Payment Card Industry Data Security Standard, or PCI DSS, is an internationally recognised standard for maintaining the integrity of merchant payments and customer data security.
There are twelve core requirements to be PCI DSS compliant:
- Build and maintain a secure network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect cardholder data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
- Maintain a vulnerability management program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
- Implement strong access control measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
- Regularly monitor and test networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
- Maintain an information security policy
12. Maintain a policy that addresses information security for employees and contractors
Consider tabletop exercises. Preparing for ransomware with a tabletop exercise can identify potential gaps and ensure the right process is in place to mitigate and recover from a potential attack.
If you should be victimized by a breach, be sure to have an incident response plan in place. That plan should also include potentially contacting law enforcement to assist in recovering files and investigating who is doing the hacking.
The ACSC website provides extensive advice, guidance and information on a range of cyber security matters. The website also provides additional assistance and referral pathways depending on the nature of the breach.
Step 3 - Maintain due diligence and tech infrastructure
There are tools and processes that exist to safeguard your business from cyberthreats and it is your responsibility to implement them.
As good practice, you should:
Use spam filters to reduce the amount of spam and phishing emails that your business receives.
Set up firewall security to protect your internal networks from the threats coming from the Internet and WiFi.
Encrypt your data when stored or sent online, so only approved users can access it.
Create strong passwords to protect access to your business devices, and change those passwords regularly.
Consider cyber-insurance to protect your business against the costs and resultant downtime that may result from attacks.
Step 4 - Update and review your security systems
As cyberthreats continue to evolve, so do the security measures that exist to counteract them. It’s important to regularly update applications, including anti-virus software, plugins and operating systems to fix any potential vulnerabilities that new and sophisticated cyberattacks may exploit.
Patch regularly. As cyber criminals use automated tools to exploit known vulnerabilities, monthly software updates may not be enough. Patches, updates or vendor fixes for security weaknesses should be applied within 48 hours if a known exploit exists. By keeping software and firmware updated, an attack risk can be eliminated.
Backup your data. Ransomware's target is data. By frequently performing reliable backups, you can reduce the risk of losing data. Make sure you retain the backup in a safe location (physically or in the cloud), preferably protected or isolated from the device where the original data is stored.
Step 5 - Get a cybersecurity partner
If you’re a small or medium company that lacks resources, managed security services and service providers are options to consider using for both prevention and incident response. This makes economic sense for many industries and businesses that don’t have (or can’t afford) the internal expertise or capabilities to manage increasingly sophisticated breaches.
Ezidebit has launched the Merchant Trust Initiative (MTI) to help our clients improve their cybersecurity and maintain compliance in regard to card payment data they collect, transmit and store. The MTI gives you a range of enterprise-level online tools including anti-virus, remote access security, point-of-sale device monitoring, mobile security, and more to improve security within your business. It also enables you to become PCI compliant.
Cyber crime is growing exponentially each year and so are the risks to business, organizations, and consumers. PCI compliance and making the most of the advanced cyber security tools available to you can help mitigate the risks. The risk of non-compliance is too big to ignore.
Or get in touch:
Cyber crime information and resources: