Dave Slutzkin woke up in a panic. The chief executive of website hosting marketplace Flippa had just received an email telling him something the head of a multi-million dollar web business never wants to hear: his site had been hacked.
A web-savvy security specialist had spent enough time on the company’s website to find a vulnerability that was tiny yet powerful enough to potentially expose the company’s private data – including encrypted customer data – to any hacker talented enough to exploit it.
“Panic,” he says. “Panic was my first reaction.”
Slutzkin regularly checks his email straight after waking up, and this particular hacker had managed to get a hold of his personal work address.
“It is such a feeling of panic, when you first find out about this. When you know there is a vulnerability there, you want to know what the potential exposure is and get started on fixing it straight away.”
It’s a terror many chief executives have known all too well this year. In the past 12 months alone, giants including Sony and Nintendo have had their databases hacked, with the former serious enough to spark privacy commission investigations and compensation for users.
Just two weeks ago, video game company Valve also announced its database had been accessed.
Even one of the top security firms in the world, RSA, saw its database accessed, causing it to issue new cryptographic tokens to its corporate clients.
And as security specialists say, this isn’t just about big firms. Cosmetics retailer Lush was hit this year – badly enough that it warned users to change their card numbers – while local hosting company Distribute.IT suffered a controversial outage that affected thousands and ended in a sale of the company.
Symantec senior manager of specialist security sales Asia Pacific and Japan, Peter Sparkes, makes it clear: “There has been a threat in the changing landscape”.
“Whereas we’ve seen attacks that have been very much targeted at the mass scale, now we’re seeing very targeted and specific attacks against companies.”
“There are a lot more resources acquired when an attack is successful, and as we’ve seen in the last six to 12 months, there has been a huge change in what we’ve seen compared to just a couple of years ago.”
Think of the consequences
The message is clear – SMEs must do all they can to protect consumer data.
The consequences are dire. Sony’s hack cost it hundreds of millions of dollars, and tarnished the company’s brand. Distribute.IT saw the entire company sold to a new entity, while the RSA attack compelled it to give cryptographic tokens to consumers.
“A friend of mine was involved in the Distribute.IT hack and she lost all of her customer data, accounts payable, everything. She was left without a business overnight,” says Rob Forsyth, regional vice president of security firm Sophos.
“These types of attacks have a significant impact on your brand and the way they interact with their customers.”
How to protect your data
There are plenty of businesses that get confused when thinking about how to protect data. They simply don’t know where to start.
However, the actual truth of data protection is simple – the information you need to protect about customers can be broken down into two categories: credit card data and everything else.
And most businesses aren’t even aware there is a specific set of standards released by the credit card industry to regulate how this data is stored and protected.
“The PCI [Payment Card Industry] standards really give a basic overview of how an organisation should be protecting credit card data,” says Sparkes. “That’s really the minimum, and at some key point in your business you need to determine how to go about implementing these.”
If your business in any way interacts with this 16-digit number, then you need to comply with these PCI standards. And if you aren’t compliant, you need to fix that immediately. Otherwise, the ramifications could be huge.
There are 12 steps in the PCI Data Security Standard. And although experts say these are just the minimum requirements, you should definitely look at each one carefully:
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need to know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for all personnel.
The first three steps
A lot of these standards can be discussed in detail with your IT provider, and require special attention to detail. But these experts say there are three key steps you need to take before you think about protecting credit card data.
The first – “don’t collect data you don’t need”.
“You walk into a hotel these days and they ask for things like your home address. Why? Why do they need that? You might ask for things like date of birth? Is there a purpose for this?” says Forsyth.
Although you may need to collect some other pieces of data for marketing purposes, Forsyth warns you should keep this to a minimum and ensure it’s relevant to what you’re selling. If you carry too much, you have a higher liability if it’s leaked.
“Think of a river. If it bursts its banks, it’s an act of God. But if you build a dam, and the dam breaks, it’s all your fault. Keep your liability to a minimum.”
There’s second a huge liability many businesses overlook – making sure your data is protected by firewalls and other security measures.
Forsyth says there are a couple of key ways to do this. The first is to ensure you have all the right firewalls to stop any intrusion, and second, identify which data you want to keep secret.
“There is a very clear definition regarding which data you need to protect. Anything that is personally identifiable that has a name, and then begins to attach other information to that should be protected.”
The second method is to ensure your data is installed on as few servers as possible. Sparkes says before thinking about encrypting any of your data, you need to isolate a small part of the network that hosts these data files – usually very small compared to others – and restrict access.
After all, these experts point out it is much easier to protect a small, isolated part of your network than having files strewn throughout.
“You need to limit the information that needs to be protected, and when you do so it can be quite cost-effective,” he says.
The other aspect of this step is to ensure the number of workers who have access to this material is restricted. Once you start opening up your network to more and more people, the possibility of fraud grows as well.
Forsyth says the leaked WikiLeaks cables show SMEs how much of their information can be leaked without much effort.
“Look at the case of the young army officer in the US, who has been jailed for downloading files to a USB key. He provided that information to WikiLeaks, and that wasn’t even a failure of technology, but a failure of adherence to policy.”
Research from KPMG suggests the vast majority of fraud happens within an organisation, so you should be doing enough to make sure your files are protected. These experts say there are plenty of systems you can set up to notify you every time someone accesses a system – be sure to get on top of that.
“You’re better off protecting a small part of your network with restricted access than trying to protect everything,” says Sparkes.
So businesses need to minimise the amount of information they carry, then store that information on as few networks and servers as possible.
The final step – actually deleting that data when you no longer need it. Forsythe says there is simply no reason to hang on to data you may never use again. Getting rid of it limits your liability and keeps the customer at ease once you’ve informed them the data is gone.
“We tend to store things we no longer need. Destroy that encryption key, or the file itself, and the data is gone forever.”
“Whereas some people might have USB keys they tend to keep for quite a long time, many don’t know data may be somewhere else on the internet.”
“Don’t just collect stuff. Protect the data you have, and need – delete the rest.”
The holy grail of credit card data
While some customers will certainly be outraged if their information is leaked, they will be livid if credit card data is gone. It can force them to get a completely new card, and worse, expose them to theft.
It is absolutely imperative you control this credit card data as best as you possibly can.
IP Payments chief executive Mark Lewis says complying with PCI standards is easier than it has ever been, due to the sheer number of third-party providers on the market offering to do it all for you.
“The onus on merchants has always been that you take care of the compliance. Now, all you need to do is ensure you get a qualified vendor that can do that for you.”
Encryption simply means that your data is stored in such a way that can’t be read by hackers. You need a specific key to unencrypt that data, and even then, it can be extremely hard to access.
But Lewis warns there’s another issue here – making sure that data is kept secret through the entire process of its collection.
“You can imagine a scenario where a computer programmer might be writing an app that needs to access your customers’ card data. Perhaps they log something in case there’s a problem.”
“That particular piece of code could be accessing that data, even if you don’t know about it, and makes it easier for hackers to find.”
Phillips warns you need to be across the data on every aspect of your system. There could be instances where credit cards are accessed by some apps and you don’t even know it.
“This needs to occur across the entire organisation. It’s not just a technology thing; it’s a human resources thing as well.”
Be upfront with your customers
There are no legal requirements for businesses in Australia to disclose whether they have fallen victim to a data. But these experts say best practice would dictate you do so.
Even if the hack has been fixed and patched up, Slutzkin argues you still need to respond.
“I think a number of businesses that have come out and said, ‘there was a hacking attempt and it has been fixed and there is no further risk,’ the damage has been mitigated there and it gives confidence.”
“In our own experience, it was pretty obvious we had to tell people what happened.”
When Distribute.IT was hacked earlier this year, the company was criticised for not letting its users know what had been going on. For several days, there were no updates on the company’s blog.
More recently, Valve has been criticised for not informing its customers of a breach until a few days after it had been discovered. Sony was criticised for similar missteps.
This is what will make sure your customers keep coming back after they know their details have been compromised. A good, reliable response made quickly after the incident makes all the difference between an understanding acceptance and disgruntled ex-customers.
“The feedback was generally very positive. Those who commented on the blog post gave us lots of support,” he says.
“Customers want to know what’s going on. If you put out a statement saying it’s fixed, their information is fine, or just tell them what’s going on, that gives confidence and restores trust in your brand.”
ABOUT THE AUTHOR
COMMENTS
SmartCompany is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while it is being reviewed, but we’re working as fast as we can to keep the conversation rolling.
The SmartCompany comment section is members-only content. Please subscribe to leave a comment.
The SmartCompany comment section is members-only content. Please login to leave a comment.