Small businesses at risk for data breach

lmorris@macon.comJuly 12, 2014 


Brad Spiegel, owner of Quality Computer Systems Inc. in Macon, says his business is seeing more cyberattacks affecting home computers and those belonging to small businesses.


  • 10 cybersecurity tips for small businesses

    Broadband and information technology are powerful tools for small businesses to reach new markets and increase sales and productivity. However, cybersecurity threats are real and businesses should use the best tools to protect themselves, their customers and their data.

    Here are 10 key tips for small businesses:

    1. Establish basic security practices and policies for employees, such as requiring strong passwords. Establish rules of behavior describing how to handle and protect customer information and other vital data.

    2. Protect information, computers and networks from cyber attacks by using the latest security software, web browser and operating system.

    3. Provide firewall security which prevent outsiders from accessing data on a private network.

    4. Require mobile users to password protect their devices, encrypt their data and install security apps to prevent criminals from stealing information while the phone is on public networks.

    5. Regularly back up the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files and accounts receivable/payable files. Store the copies either offsite or in the cloud.

    6. Control physical access to your computers and create user accounts for each employee. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended.

    7. Make sure your Wi-Fi network is secure, encrypted and hidden. To hide it, set up your wireless access point or router so it does not broadcast the network name. Password protect access to the router.

    8. Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. Isolate payment systems from other, less secure programs, and don’t use the same computer to process payments and surf the Internet.

    9. Limit employee access to data they need for their job, and limit authority to install software.

    10. Require employees to use unique passwords, and change passwords every three months.

    Source: Federal Communications Commission

While big data breaches, such as the one that affected millions of customers at Target stores late last year, grab the big headlines, there are multiple threats to confidential data held by small businesses.

“We are definitely seeing an uptake on attacks to people at home and at small businesses,” said Brad Spiegel, owner of Quality Computer Systems Inc. in Macon. “Big businesses are going to have bigger, badder routers, and bigger, badder equipment that is going to protect them. So the criminals are going to go after the low-hanging fruit. They are going to go after the ones that are easier.”

Many small firms know little or nothing about cybersecurity, according to the National Small Business Association, despite the prevalence of data thefts nationwide.

According to a survey last year by the association, 44 percent of respondents had been victims of at least one cyberattack, with an average $8,700 cost for each breach.

Small merchants tend to be attractive targets for computer criminals, according to CEO Jason Oxman with the Electronic Transactions Association.

Small-business owners often leave themselves vulnerable to breaches by browsing social media or messaging friends on the same computer used to process financial information, Oxman said. Some small businesses owners don’t use anti-virus software because it seems costly or bothersome, and they may not realize there is a breach until a payment card company notifies them of suspicious transactions.

A small business may not be able to handle the drop in business that might result in a breach, Oxman said.

Spiegel, with Quality Computers, which offers data security services in addition to selling computers, said the first thing he tells business owners is that if they accept credit cards, they should understand and comply with the Payment Card Industry Data Security Standard, which is a checklist of protocols known as PCI.

“Even if they don’t take credit cards, such as a (certified public accountant), make sure you always have an anti-virus software ... and make sure it is a current operating system,” Spiegel said. “There can be some issues where you are liable because you are not doing the minimum required to be able to protect your clients’ information.”

It’s also important to change passwords regularly, but it’s probably more important to have difficult passwords that don’t have to be changed very often instead of easy passwords that are changed monthly, Spiegel said.

Some retailers don’t worry, others use top security

Stephen Bashinski, owner of Bashinski Fine Gems & Jewelry in Macon, is not worried about anyone hacking into his customer information.

“Our customer’s privacy is paramount,” Bashinski said. “If we get a Social Security number, it does not go into the computer. It goes on a paper document, only because of that reason. ... I would not want my Social Security number or any pertinent information that would allow someone to steal my identity in a computer. I don’t believe that computers are completely safe, which they are not.”

Storage of all paper copies is closely guarded at Bashinski’s.

“Only one person has them,” he said. “Even the staff can’t get to it.”

Bashinski said he uses an “Internet guy” to set up security on his computer that he uses for the store’s social media such as Facebook and Twitter.

“It’s less expensive, less time consuming and good business to prevent (any security issue) than to have to deal with all the customers later,” he said.

Anything that is a security risk never goes into a computer at the jewelry store, he said.

“The only thing somebody would be able to steal as far as customer information -- if they could -- is get their address and phone number. Anything past that, we are not going to put out there. Is it an extra effort on our part? Yes, it is. But it’s better to make a little more effort and not have problems.”

According to a 2011 study by Symantec -- an American technology company that makes security, storage and backup software and offers support services -- 18 percent of all cyber-attacks targeted small businesses. A year later, that number had increased to 36 percent.

Data breaches at Bibb County businesses apparently have not been a big problem, according to financial crime investigators.

“We have not had any crimes such as security breaches ... that have been reported,” said Lt. Sean DeFoe, public information officer for the Bibb County Sheriff’s Office.

Dry Falls Outfitters and B. Turner’s, both at Macon Mall, may have been more vulnerable when the businesses were smaller, but as the percentage of transactions done by credit or debit cards increased, Bud Turner, president of both retailers, said he was able to “tap into some of the big players in the industry and have a lot of security in place. So, for us it hasn’t been an issue as a company.”

Turner said the business is careful with how it treats customer’s information.

“Once a transaction takes place, my employees at the store level don’t have access to the information after it’s gone to the processor. We don’t keep physical copies or anything. It’s a direct transmission to the processor.”

But Turner is keenly aware of the possibly of a data breach in a personal way.

“My personal credit card -- (thieves) have gotten it three times in the past four months. Obviously, they have some kind of portal either into my personal computer or something. It’s beyond just annoying.”

His bank has alerted him each time and so Turner has not been financially affected. But he had to close the card accounts and get the bank to open a new one each time.

“So I’ve been victimized personally, but I have had no issue with the store,” he said. “So we feel pretty safe with what we are doing now. ... But if they can hit Target, they can hit me, I suppose.”

Turner said he understands some security companies are working on a foolproof credit card with embedded chips that will be less vulnerable.

“I think you will see that technology catches up with the thieves, but we’ll have to pay for it,” he said.

Turner said he is surprised by some customers who balk at showing additional identity when paying by credit card.

“Seven out of 10 thank us, but there are a small percentage of customers who get really mad,” he said. “So if a retailer asked for your ID, you should thank them because they are just trying to protect your identity.”

Information from the Los Angeles Times was used in this story. To contact writer Linda S. Morris, call 744-4223.

The Telegraph is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service