The fact that hackers are using malware to breach POS systems should come as a surprise to no one. This has emerged as a common way that many businesses are being hit, because it costs nothing for data thieves to attempt the hack on a business of any size. What’s critical for SMBs to understand is that every business – even small businesses – are a worthwhile and valuable target. It also illustrates that the methods of attack being used by cybercriminals are not sophisticated or ‘new’ to the cybercrime landscape, so SMBs really have no excuse for not implementing a comprehensive solution that can bolster security postures and decrease their chances of becoming the next headline.

Here are six common mistakes that lead to small business credit card breaches:

Failure to Protect Incoming Internet Traffic
The first step in stealing data is finding an avenue into the targeted business.  All of a business’ data circuits and its Internet connections must be protected by a robust and adaptable firewall; protecting the business from unwanted incoming traffic.

Lack of Control Over Outbound Internet Traffic
In addition to blocking unwanted traffic from getting into a location, it is always a good practice to selectively block outgoing traffic as well.  Many modern breaches involve software that becomes resident on the network and then tries to send sensitive data to the hacker’s system via the Internet. No system can completely prevent unwanted malware or viruses, so a good last line of defense is making sure secure data doesn’t leave the network without the network admin’s knowledge.  The same firewall used in Step One should be configured to monitor outgoing traffic as well as incoming.

Failure to Adequately Protect On-Premise Wi-Fi
As people and devices are more connected to the Internet, customers will expect that they will have access to wireless communication while they are in your business. However, wireless networks can potentially expose sensitive data from your systems, especially if you are using wireless in a retail environment. A security strategy is needed to configure devices to meet operational goals, but also protect the business at the same time.

Failure to Use Two-Factor Authentication
When permitting remote access to a network, it is essential that this access is restricted and secure. At a minimum, access should only be granted to individual (not shared) user accounts using 2-factor authentication and strong credentials. Remote access activities should also be logged so that an audit trail is available.

Not Updating Anti-Malware Software
It is critical to keep all anti-virus /anti-malware software up to date with the latest versions and definitions.  The companies that make anti-malware software monitor threats constantly and regularly update their packages to include preventive measures and improvements to thwart malware seen in other attacks.

Failure to Patch all Operating Systems as Security Enhancements are Released
Much like anti-virus /anti-malware updates, designers of operating systems are constantly improving their software to prevent hackers from stealing data, especially if a criminal manages to bypass the built-in security.  It is essential that the latest security releases and patches be installed on all systems.

Almost every major breach in the last 24 months failed to incorporate at least one of these measures. The technology exists to protect businesses against cyber threats, maintain compliance with credit card industry regulations, and ease the burden on a business owner to manage their network and Wi-Fi security, but in order to stop the threats, SMBs need to take the important step and use it.

---

Kevin Watson joined Netsurion (formerly VendorSafe) as CEO in November 2014, bringing considerable experience in data security, managed technology services, and high-growth technology companies. Netsurion is a provider of industry-leading data security and computer network management services for multi-location businesses, and has been a leader in the field for more than seven years.  From 1998 through 2014, Kevin was the co-founder and Managing Director of C/max Capital. While at C/max Capital, Kevin led the firm’s investments in About.com (taken public then sold to Primedia), Adjoined Consulting (sold to Kanbay), Verid (sold to EMC), Concordia (sold to Kadmon) and KMC Software. Kevin helped co-found KMC Software, a SaaS-based recruiting tool, in 2009, and led the company’s product launch in 2011. In 2003, Kevin took over as Chairman and CEO of Verid following C/max’ investment in the company.