For many businesses, their online security system is something they want to put in place and then forget about. But it’s worth reassessing it from time to time to see if any cracks have appeared in the armour.
The answers to our fun quiz at the end of this article might raise one or two eyebrows but one thing’s already for sure – fraudsters are always hatching plans to target vulnerabilities. If you end up a victim, it’s certainly no joke.
Know the risks
Paul says that there is a lack of awareness among SMEs of the scale of the threat and what they need to do to protect themselves. It’s worth noting that UK government research published in June 2015 showed that 74% of SMEs had suffered information security breaches within the last year1.
“My belief is that merchants do not understand what the risks are in opening up an online shop,” Paul says. “If you open a shop on the high street, you’re pretty familiar with security controls – locks, alarms, shutters etc. But merchants don’t understand what the virtual equivalents are, and they need to be just as vigilant.”
Unfortunately, there’s a lot more to it than the security of the payment page. Many merchants outsource the payment process to a third party provider. While this means the merchant doesn’t hold any of the card details, Paul says it can lead to a false sense of security.
That’s because lots of other personally identifiable details are taken when an order is placed, and this can still be gathered from a leaky site by fraudsters.
“Criminals are starting to take this and sell it, and it might be used for phishing attacks,” says Paul. “It’s not just credit card fraud retailers need to worry about, there are lots of other areas to think about too.”
Where might the security gaps be?
Some of the problem areas can come through the use of a web developer. This in itself is not a bad thing, and many merchants use these successfully to build their sites for them. But Paul says you shouldn’t put blind faith in them.
“The trap a lot of merchants fall into is they go to a web developer to build their site and assume the developer knows what he’s doing in securing the website,” says Paul.
“Merchants should be asking their web developers how they are protecting the data, including personally identifiable data,” he says. “They should also be asking if they are doing any patch management, any monitoring of the site, and if they are searching to see if there is any malware on it.”
"Vulnerabilities can also be found closer to home, and Paul says that security breaches can come from weaknesses within the premises. For example, are your CCTV cameras on the same network as your website? If so, you could be leaving the back door open."
So what can you do to keep yourself secure? There is no foolproof solution, but there are a number of steps you can take to put the odds in your favour. For a start, learn what PCI DSS compliance is and make sure you adhere to the minimum standards.
You should also make sure the rest of the basics are covered – particularly as Paul says most of the attacks he sees are unsophisticated. That includes ensuring that you – or your developer – keep software updated to patch known vulnerabilities, and that default software configurations are changed to something unique to your business.
Firewalls and site monitoring are also part of the armoury, and it should be understood straight away that security is not a one-off investment, says Paul.
“It should be seen as an ongoing cost for businesses. The way attackers attack businesses is always changing.”
How to deal with an attack
If you are the victim of an attack, Paul says you should revert to your instant response plan. This should already be in place before any attack and include details of all the people you should be contacting.
One of those should be your payment systems provider – if it’s Barclaycard, Paul says a member of his team will guide you through the process of engaging with a forensics company to investigate the breach.
And, while the likelihood of an attack might not quite be a certainty, Paul says you should be preparing for an eventuality rather than a possibility.
“You should think of this as a matter of when, not if,” says Paul. “Be prepared, and be vigilant in looking to see if you’ve been compromised.”
Speak to us today to find out how payment security could affect your business – 0800 046 6814 *.
Please note that the views expressed in this article are personal opinions. Barclaycard cannot accept any responsibility or liability for reliance by any person on this article or any of the information set out in it.
*Calls to 0800 numbers are free from UK landlines and personal mobiles, otherwise call charges may apply. Please check with your service provider. Calls may be monitored or recorded to maintain high levels of security and quality of service.