Think Like a Thief: Cyber Security for Your Business

By Bob Chrismas

 

No matter how big or small your business, or which retail space you operate in, data security and how you use technology has to be given considerable and ongoing attention. I cannot

imagine even the smallest mom-and-pop store operating in this day-and-age without the use of some technology, whether it is point-of-service devices connected to smartphones and tablets to administer sales and monitor inventory, or for physical security. You may be a franchise required to connect to a larger network, but even a stand-alone business must connect with banking and sales networks utilizing internet access. Properly equipped and trained employees with solid and well thought out policies and procedures can prevent great cost to your business. Even simple procedures like avoiding the downloading of malware can save companies lot of time and money.

Thinking like a hacker or thief can help. A hacker might see a business as a system that gathers, processes or stores either money or valuable data that they might access. In order to steal from this system, the thief has to access it either from the outside or from the inside. From the outside hackers might connect through an unguarded port in your computer system, or through a hack via the internet; a trojan horse type e-mail or advertisement that appears innocent enough, until a well-meaning employee clicks on a link. Answering e-mails might be the employees’ job, perhaps taking orders or answering customer complaints, so how can they not open them? In this case some security software might substantially reduce risk. In another scenario an employee finds a USB drive in the business and plugs it into a networked computer with good intentions of identifying the rightful owner and returning it to them. The instant it is plugged in to the device, the entire network is compromised with malware that might gather data for a long period without you ever realizing it.

In all of these scenarios, thinking like a thief can potentially alert you to opportunities to protect your store. A more nefarious threat to businesses is employee infiltration or theft. This could be in the form of inside information about business vulnerabilities shared by an employee, on purpose or by accident, with undesirable friends. It could also be outright theft by an employee, of cash, or valuable customer data. Some of the most successful thieves have learned that stealing a dollar or two from thousands of customers, who are less likely to notice or question a small charge on their credit card, is safer than the heat that one large theft can draw. A famous method for this is skimming, wherein customers pay for goods with a credit card and the employee passes the card by a skimming device to capture their data as they are doing the transaction.

This can really hurt a business once the theft is revealed. Studies have found that customers are highly influenced by their perception of the security that a business has over their customers data and transactions. It makes sense as who would want to continue business in a place where they were ripped off, when they can easily choose another business for the same service down the street. In one study by KPMG, 19 per cent of consumers would stop shopping at a retailer after a data breach, and 33 per cent would take a break from shopping at that store for an extended period.

One safeguard is to ensure employee access is limited, tied only to their job functions. Accessing various data must be carefully planned in order to protect data. Build a culture of security mindedness in the company, so employees are not offended but rather expect to be audited periodically. This can be more relevant in business with high staff turnover; however, all employees, both long and short term and front-line and higher level can fall prey to temptation.

Other research by Verizon into data breach investigations found that financial gains motivated 97 per cent of threat actors targeting the retail industry; these thefts occur at the point of service. Point of service malware is commonly used to target retail and restaurant businesses. It can infiltrate and take control of systems and can be difficult to detect and take down. Any de-vice that connects to the Internet can be hacked; therefore, think like a hacker about where your vulnerabilities lie and how you might try to take advantage if you were a thief.

In a previous article titled Enhance Your Success by Keeping Employees Safe, I pointed out that business owners can do a great deal to enhance their physical security on their own, using common sense. There is a billion-dollar security industry standing by and quite happy to take your money for the good advice they can offer. However, you might not need to pay someone for common sense security advice such as putting in more lighting and trimming those hedges so there is a clear view into the store. Cyber security is much the same, although many of us are nervous about being up to date with complex and ever-changing technology. My suggestion would be to do some research on your own and arm yourself with some rudimentary insights, and then talk to an expert, and/or other store owners, about how you can harden your cybersecurity. In most cases, managers of a small store can do a lot on their own and even more with some expert advice. You don’t necessarily need a $15K security system.

Educate your employees, and yourself on potential cyber threats. Arrange for some team training; this can not only reduce vulnerability, but it can build a culture of cyber-security awareness within the business. Have a budget for ongoing security, including security audits and vulnerability assessments. Ensure you have a strategy for when a breach is identified. This might in  corporate having a way to isolate from outside access until a breach is fixed, and practicing those protocols. Of course, the preemptive work can mitigate damage from a breach, if you’ve set things up in a way that no great damage will occur if a breach occurs. Think like a thief; how could you steal from your company, and plug those holes.

Bob Chrismas, Ph.D., is an author, scholar, consultant, passionate speaker and social justice advocate police professional with internationally recognized expertise in community engagement and crime prevention. An advocate for social reform, he has written and speaks extensively on innovative trends in policing, community partnership and governance. Visit Bob at BChris-mas.com