Data breaches at big retailers including Home Depot and Target may be grabbing attention, but mom-and-pop businesses shouldn't feel like they're in the clear. Hackers also have their eye on smaller businesses, according to experts.
The latest business to be hit by a breach is Jimmy John's. The Champagne, Illinois-based sandwich chain on Wednesday said it has learned of a possible security incident involving consumers' credit and debit card data, which was compromised after an intruder stole log-in credentials from the company's point-of-sale vendor. That information was then used to remotely access point-of-sale systems at approximately 216 locations between June 16, 2014 and Sept. 5, 2014.
Smaller merchants, meanwhile, also have been the target of cyberthieves. In 2013, targeted attacks aimed at small businesses with up to 250 employees accounted for 30 percent of all hack attacks, compared with 18 percent in 2011, according to data from Symantec, a tech security company.
And data breaches can be costly, especially for smaller employers. In 2014, companies on average paid $145 for each lost or stolen record containing sensitive and confidential information, according to the Ponemon Institute's 2014 Cost of Data Breach Study. The institute focuses on research related to privacy, data protection and information security policy.
Whether you're a big-box retailer or smaller merchant, payment data is gold to cybercriminals, says Rob Sadowski, director of technology solutions for cybersecurity firm RSA. And because protection is often lacking among smaller companies, they can be an easy target among hackers.
"Criminals know that small businesses are less likely to be protected with a large security staff that has made a big investment insecurity," Sadowski says. "If a business is handling payment card data—that is the most valuable commodity in the criminal underground."
And cybercriminals use tried and true methods to lure potential victims.
Anup Ghosh, founder and chief executive of Invincea, a security software company, said nearly all of the time responders deal with a security incident and clean up the mess, the threat often originated through an email or web browsing. "This isn't anything new—we are seeing 'malvertising' or serving up malicious ads, and cybercrime gangs are paying for those ads to serve up malicious content," Ghosh says. "It's spear-phishing on a browser."
And the damage can spread from there. If a computer is hit with malicious software advertising, the machine will be compromised, making it easier for hackers to drop malicious code onto corporate accounts.
So what's a business to do?
Step one, says Sadowski of RSA, is to ensure systems are patched and updated with security fixes. "Hackers are often exploiting vulnerabilities that are not fixed or patched," Sadowski said.
And discouraging news for smaller merchants strapped for cash, Ghosh of Invincea said standard anti-virus packages that range anywhere from $50 to $80 are only 20 percent effective against conventional attacks. Plus, cheaper solutions are nearly completely ineffective against targeted attacks.
"The endpoint security space is rapidly evolving to advanced forms of threat protection against unknown malware, spear-phishing and website drive-by attacks," Ghosh said.
But there are some affordable fixes for businesses of all sizes. Make sure systems that are handling payment card data are not Internet-connected.
"Attackers look at that foothold, so try to make sure the system is not used for browsing the web or email, because malware can get on those different systems," Ghosh said.
Finally, Ghosh said it can pay to be updated on security standards for merchants, as outlined by the PCI Security Standards Council. The guidelines are particularly helpful for small businesses, Sadowski says. "It's a challenge for small businesses, and PCI realizes that," he said. "They have resources and best practice that make it harder for criminals to get this data."