Target had a massive security breach last winter. Here's how your small business can avoid a similarly devastating cybersecurity mistake.
It was the most wonderful time of the year; when shoppers flock to the mall in droves to stock up on holiday gifts. Black Friday brought deals a-plenty, especially at huge retailers like America's favorite red and white superstore, Target. Millions upon millions shopped and swiped, never thinking that they were at risk of exposing their private information to anyone other than the cashier. Alas, on November 30, 2013, more than 70 million credit card numbers, addresses, phone numbers, and other personal information, were in the hands of hackers in Russia.
How could something like this happen?
Even though Target boasts the same computer security system as the CIA and Pentagon, malware still made it's way onto their systems. After the malware collected information, the Russian hackers set out to remove it, and Target then failed to heed a Twarnings from their team of security specialists in Bangalore. Multiple communication breakdowns and negligence led to the biggest retail security breach in U.S. history, a 46% decline in sales for the 2013 holiday season, and more than 90 lawsuits from customers and banks.
Since the breach, Target has set-up a comprehensive section on their website in which they address commonly asked questions. In response to the question, "how could Target let all this credit and debit card information to get accessed?" Target said:
"This unauthorized access is a crime, and we are taking it very seriously. While we can't provide specifics because the investigation is ongoing, we are working closely with the United States Secret Service and the Department of Justice to bring those responsible to justice."
How could this have been prevented?
Target's security breach, though complicated, wasn't exactly the most genius hacking of all time, and could have been prevented. Multiple levels of negligence occurred, and exposed one in three Americans to identity theft. Upon investigation of what really went wrong, the FireEye security system they use showed that the warnings had been there all along, meaning the security team in Bangalore missed them, or chose to ignore them. When they finally did let team in Minneapolis know about the breach, the warnings went unheeded.
In order to prevent a similar occurrence, Target's CEO Gregg Steinhafel claims they are in the midst of a major investigation and "have already taken significant steps, including beginning the overhaul of our information security structure and the acceleration of our transition to chip-enabled cards."
But what else? First and foremost, Target's security teams should have been more alert to the multiple warnings that came through. Though it's an obvious statement, many businesses fail to recognize the warning signs, or disregard them before it's too late.
How to keep your business safe from a data breach
According to the Identity Theft Resource Center, there have been 383 internet security breaches thus far in 2014, a 25% increase from last year. Though Target's breach made news due to the sheer size, hundreds of other businesses are being targeted, like eBay, Neiman Marcus, and AT&T. The ITRC reported that a staggering 14 million identities were stolen in 2013, or one every two seconds.
Though companies like Target make the news for massive security breaches, small to medium sized businesses make up 75% of data breaches (Tweet This). According to Business News Daily, 40% of SMBs were part of a breach in 2013, and 76% of those were due to a compromised password (Tweet This Too). These numbers are terrifying for any business owner, especially those whose livelihood is increasingly online.
To keep the information of your business and that of your customers safe, the FCC recommends the following cyber-security steps:
1. Train employees in security principles
Establish basic security practices and policies for employees, such as requiring strong passwords, and establish appropriate Internet use guidelines that detail penalties for violating company cybersecurity policies.
2. Protect information, computers and networks from cyber attacks
Keep clean machines: having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.
3. Provide firewall security for your Internet connection
A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system's firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall.
4. Create a mobile device action plan
Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks.
5. Make backup copies of important business data and information
Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files.
6. Control physical access to your computers and create user accounts for each employee
Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended.
7. Secure your Wi-Fi networks
If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.
8. Employ best practices on payment cards
Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor.
9. Limit employee access to data and information, limit authority to install software
Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.
10. Passwords and authentication
Require employees to use unique passwords and change passwords every three months.