Small businesses are cyber targets whether they know it or not

This week in Washington, the U.S. Chamber of Commerce will host its sixth annual Cybersecurity Summit. This important event will bring together some of the nation’s top cybersecurity experts to talk about ways to help the business community, large and small, better protect themselves against cyberattacks.

The PCI Security Standards Council is proud to participate in this event as part of its mission to help businesses secure payment data.

{mosads}The chamber’s summit comes at a critical time in cybersecurity. It seems like almost every day we hear about another story of a cybersecurity breach that threatens the private information of millions of people. Congress is once again exploring these issues with great intensity.

In the payments world, where the incentive is financial reward, we’ve been dealing with this for several decades as payment breaches cost an estimated $445 billion per year according to the 2017 PwC Global Risks Report.

For the business community, cybersecurity is now front and center in their minds. A 2017 MetLife and U.S. Chamber of Commerce Small Business Index survey found that nearly 60 percent of all small business owners are concerned about cybersecurity threats.

Despite that concern, the same survey found an astonishing 59 percent of business owners do not have a contingency plan for how to deal with a data breach.

Small and mid-size businesses (SMBs) are especially vulnerable. Long gone are the days when they were mostly ignored by hackers as botnets and other automated attacks have been weaponized. In fact, nearly half of cyberattacks worldwide were against businesses with less than 250 workers.

In the United States, hackers have breached half of the 28 million small businesses according to the State of SMB Cybersecurity Report. This trend is likely to continue. Cybercriminals like to exploit the path of least resistance, and too many smaller businesses unknowingly leave themselves wide open to attacks.   

The cybersecurity challenge for small businesses is a difficult one. Large corporations have cybersecurity budgets in the millions of dollars and an army of well-paid cybersecurity professionals. For SMBs, they don’t have those kind of resources and too often, they don’t even think of themselves as a potential target.

The good news for the SMB community is there are many basic steps they can take to significantly reduce their risk of attack that do not require giant budgets or a large cybersecurity staff.

BMC and Forbes Insights as well as the 2017 Verizon Data Breach Investigations Report has found that known vulnerabilities are still the leading cause of exposure to data breaches and cyber threats. These are vulnerabilities for which there is an existing fix.    

Simple things, like changing default passwords and creating strong ones; staying updated on patching; only storing data you really need and working with trusted third-party vendors, can all go a very long way in significantly reducing their risk. We have seen in recent years where these simple security basics have been ignored by even large companies.

It’s with this in mind, that the PCI Security Standards Council developed a series of payment protection resources specifically designed to help smaller merchants.

These materials aim to help explain cybersecurity in simple, easy-to-understand terms and highlight essential payment security best practices aimed at addressing the key things that are leading to breaches for these merchants over and over again.

As part of this effort, the PCI SSC is now working with the industry on ways to help small businesses evaluate and demonstrate that they have these data security essentials in place. 

While no one security system is perfect for companies of all sizes, those with good habits backed up with an approach to protecting data that includes people, processes and technology stand the best chance of protecting their customers.

Today, two of the most popular passwords used by the American business community are still “123456” and the word “password.” That essentially defeats the purpose of the security control to authenticate the unique user.

When patching is available to prevent ransomware attacks, businesses must update their systems within 30 days, not six months later. We can and simply must do better than that.

Businesses of all sizes must regularly test for new vulnerabilities to their systems and react by patching vulnerable software quickly. Criminals are scanning billions of IP addresses daily — that includes small businesses.

Simple solutions exist that are cost-effective to provide companies with the same information to correct before they become a point of compromise.

This week, as business and government leaders discuss these critical issues at the U.S. Chamber of Commerce Cybersecurity Summit, let us commit to doing all we can to address the many challenges we face in the cybersecurity global community.

Cyber threats are not going away, but organizations can fight back by prioritizing data protection and establishing smart practices backed up by vigilance. Only by working together can American business tackle this great challenge of our time.             

Troy Leach is the chief technology officer for the PCI Security Standards Council, originally formed by American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. on Sept. 7, 2006, with the goal of managing the ongoing evolution of the Payment Card Industry Data Security Standard.