Experts at Visa's annual security summit last week warned that cybercriminals are moving on to new and easier to exploit targets for their malicious software: small-to-medium-sized businesses, according to Dark Reading.
[Charles] Matthews [president of the International Council for Small Business] quoted industry research that states small businesses are far less prepared to defend themselves against cyberattack. "Nearly one-fifth of small businesses don't even use antivirus software," he said. "Sixty percent don't use any encryption on their wireless links. Two-thirds of small businesses don't have a security plan in place. These numbers are both surprising and disturbing."
And many small businesses still don't know they are targets, according to Chris Gray, director of innovation policy at the Canadian Chamber of Commerce and another member of the panel. "According to a brief survey we conducted, about two-thirds of small and medium-sized businesses believe that large companies are the main target for cybercrime," he reported. "Yet 85 percent of the fraud we see in business occurs in small and medium-sized businesses."
David Hogan, senior vice president and CIO for the National Retail Federation, who spoke on a separate panel at the summit, said only about 60 percent of Level 3 businesses -- the level just above the mom-and-pop shops -- have met the Payment Card Industry's Data Security Standards (PCI DSS) for protecting credit card data. Compliance at Level 4 " the smallest businesses -- is generally believed to be even worse.
Another reason smaller businesses do not protect themselves, Dark Reading reports, is a lack of time and resources. In the past, most small businesses could rely on banks' or other financial institutions' secure dedicated point-of-sale hardware and connections to protect card data, but this has changed as small businesses have sold their goods and services online. This has made them responsible for ensuring they protect their customers' card data.
Experts at Visa's 2009 Global Security Summit said it is onerous for smaller businesses to become PCI compliant and maintain it. Their best bet is to have third-parties handle processing card payments so they do not have to handle or store card data at all.
"If you can reset your business model so that you're no longer subject to PCI requirements because you aren't handling credit card data at all, that's the best solution," Merrill Phelan, manager of IS and programming for the Washington Metro Airport Authority, said. "That's not as crazy as it sounds -- there are ways to accept credit card payments without ever touching the data itself."