Data Theft – Smaller Retailers are Even More Vulnerable to a Security Breach

In the past year, high-profile instances of data theft at Home Depot and Target, affecting tens of millions of customers, brought the problem of cyber attacks to the forefront of public consciousness. If retail giants – with cutting edge systems and highly trained personnel – are, nonetheless, potential victims of hackers, what risk do such breaches represent for smaller operations? MMR reached out to Martin McKeay of Akamai, one of the premier providers of secure cloud services for businesses, worldwide, to get some answers.

How does a smaller business’s approach to security differ from that of a giant corporation like Target?
The single biggest difference between corporations and small and medium businesses (SMBs) when it comes to security is staffing. A large corporation like Target has the ability to have staff that’s dedicated to the task of securing their environment and monitoring that environment for suspicious events. In contrast, many small businesses are lucky if they’re large enough to have a person to maintain all their IT functions, let alone be up to date and knowledgeable about security. Because of this, many small businesses choose to outsource their IT and security functions to service providers. The quality of their security is therefore dependent on the quality of these service providers and is highly variable. A common example is the maintenance of Point of Sales (POS) systems. Your POS is only as secure as the organization providing the support.
 
Are smaller businesses more or less susceptible to data breaches?
Small businesses are more susceptible to breaches, in large part because they lack the staff to properly configure, secure, and monitor the security of their systems. While there is less customer data to be harvested by criminals, the fact that a small business is likely to be less secure makes it an attractive target. It’s the Home Depots  and Targets that are being seen in the headlines, but SMBs are still getting compromised on a daily basis. If an attacker can compromise five or ten small businesses and make off with banking information or credit cards while maintaining access to the servers for months, they can make as much money as one large breach would net them. Additionally, the risk of pursuit from attacking small businesses is much less than a big breach because it lacks the media attention and, therefore, the law enforcement attention.
 
As a retailer, is there one golden rule to follow in making sure that your customers’ information won’t be stolen?
Look for a vendor who uses two-factor authentication for their remote access to your systems. Almost every vendor uses remote access to administer client systems; it’s how they achieve the economy of scale needed to support clients at a reasonable cost. Jimmy John’s is an example of how this can go horribly wrong, as their POS vendor was compromised, which in turn left them and many other organizations open to criminals.

Two-factor authentication, whether it’s using a small key fob that creates a one-time password or having a program that sends a verification text to a cell phone, is a huge step in preventing compromises through vendors like this. A password is a simple thing to guess or break and many vendors will use a common password with a large number of clients, making them all vulnerable to a single break in security. While two-factor authentication won’t stop all attacks through providers, it will prevent a large number of them.
 
Was there ever a tipping point in data theft? Did we see a certain usage threshold or technology jump that made credit card information easier to pick off at some point? 
No, there wasn’t a single tipping point or event that made credit card information easier to steal and more attractive to criminals. The Internet itself grew quickly from a small experiment that was the playground of academics to a global phenomenon that powers a significant portion of the world economy. The problem is that the use of credit cards is a large part of this growth and while the Internet has changed rapidly, the technology behind credit cards hasn’t changed significantly since the ‘70s in the U.S. We’re starting to see changes and movement to technologies like chip and pin, but these are not going to stop online crime immediately as they’ll take years to fully roll out.

Does it seem to be happening more and more?
Theft of credit card information from corporations and SMBs does seem to be happening more frequently, but this is less an issue of actual frequency and more an issue of it raising awareness by the press and public. We are seeing a more headlines, more big businesses being compromised, but it’s as much the fact that state and federal laws now require the disclosure of these breaches that bring it to our attention as it is an increase in the actual number of breaches.  
 
Martin McKeay is a Senior Security Advocate at Akamai, joining the company in 2011. As a member of Akamai’s Security Intelligence Team, he is responsible for researching security threats, customer education and industry intelligence. With over 15 years of experience in the security space and five years of direct Payment Card Industry work, Martin has provided expertise to hundreds of companies. He is also the author of the Network Security Blog and host of the Network Security Podcast.