“There are two types of companies: those that know they’ve been breached, and those that haven’t figured it out yet.” Those were the words of a highly successful venture capitalist behind some of the most successful cybersecurity companies. And while the chances of being a victim of a security breach are very high, it’s not a forgone conclusion. There are steps every business should take in order to avoid falling victim, or at the very least limit the damage.
Category: Small Business Page 7 of 10
What is PCI compliance and how can it impact your business? We break down the 7 most important things you need to know about PCI compliance.
- It’s there for a reason. As the Target and many other data breaches have shown, there’s a huge underground market for stolen credit and debit card numbers. Crooks will go to great lengths to get these numbers, and the resulting breaches can be very costly. Even more important, credit card processors worry that more security and data breaches will hurt consumer confidence in using their credit and debit cards, and that’s bad for everyone.
- PCI is like a guard dog that’s not afraid to turn on its master. It’s ultimately designed to protect you, and in the case of smaller firms, without much effort. But if you ignore PCI, it’s not afraid to bite. Failure to comply can mean penalties, fines, and even the inability to accept credit and debit cards.
- If you accept credit or debit cards, you can’t avoid it. One of the most common misconceptions is that PCI is only for bigger firms, only applies to businesses that process a minimum number of credit card transactions monthly, or that smaller firms are exempt. None of the above are true. If you accept credit cards, even one transaction, then you have to be PCI compliant.
- The world’s top credit card processors, who between them process the majority of credit card transactions in the world each day, created a free roadmap to help you protect against card breaches. And PCI is not just about protecting credit cards. It’s ultimately about protecting your business, your reputation, customer trust, and your future. Not a bad freebie when you think about it.
- It’s not a security guarantee. The more credit card transactions you process each year, the more complicated PCI can get. The higher the number of transactions, the more rules you have to follow and the more it will cost you. Yet in spite of all the rules, being PCI compliant is no guarantee that you’ll be secure. PCI should be seen as a baseline and a minimum standard, meant to be combined with other layers of protection.
- With so many breaches, and so much in-depth coverage of them, it’s become apparent that even major organizations with huge investments in security and compliance have still fallen victim to security breaches. That’s led to calls to make PCI even tougher. You can expect that to happen in the next few years.
- Becoming PCI compliance is easy – remarkably easy. Compliance is based around a self-assessment questionnaire. That’s right – you answer some questions and you conduct the assessment yourself. A major focus of compliance is making sure that if you accept payments through your website, your website is secure. Luckily that’s also easy. Firms like SiteLock can manage that process seamlessly and affordably.
Becoming PCI compliant is necessary for all business who accept credit cards online. If you need help getting started, SiteLock is available 24/7/365 to help. Give our security experts a call at 855.378.6200 to help.
Learn the top 7 website security myths hackers are hoping you believe…
Myth #1: You’re too small to be of interest to them.
Let’s face it, it’s the most common excuse made by business owners. It seems preposterous to them that of the tens of millions of businesses around the world, many of them very lucrative, busy hackers would have time for them. What they don’t realize is that cybercrime has become automated and the hackers have sophisticated tools that will scour the internet looking for unprotected websites and poorly protected or unpatched computers and networks.
Myth #2: You have nothing worth stealing.
“I don’t take credit cards,” or “It’s all handled by a third-party processor” are common responses, and based on the belief that hackers are only after credit cards. All data, any data, is of value. That can include names, addresses, phone numbers, email addresses, buying habits, purchasing history, employee records, Social Security Numbers, intellectual property, passwords. And often the hackers don’t want to take, they want to give. Like using your unprotected websites to hide malware that will be spread to visitors to your site.
Myth #3: If there is a breach, it won’t be a big deal.
In reality, the smallest security breach can be a really big deal. There have been many cases of smaller firms being wiped out by a single piece of malware accidentally downloaded by an employee. And if the hackers don’t get you, the lawyers might. There is now an army of lawyers whose only focus is to sue businesses on behalf of customers whose data was exposed in data or security breaches. And of course there are all the regulators and the fines they can impose, not to mention the long-lasting damage to your brand and reputation if your customers think they can’t trust you.
Myth #4: Antivirus software and a firewall are all you need to be safe.
Don’t get me wrong, they’re essential, but there’s so much more to security. Businesses that have relied on just the basics have found out the hard way that hackers are way too determined to be deterred by the basics.
Myth #5: A website is really just a flashy billboard to advertise your business.
Your website is so much more. It’s often the only way customers can find your business, so if it’s compromised, blacklisted, or otherwise not available, your customers are going elsewhere and probably not returning.
Myth #6: Your employees pose no risk.
No one would ever accuse Irene in accounts of being a hacker’s best friend, right? But many security and data breaches are as a result of exploitations by hackers of mistakes by employees. If your employees are not trained to be sentries, they’ll be quickly turned into vulnerabilities.
Myth #7: Your password is perfectly fine.
How often do you think about your own passwords, let alone those of every other employee in your business? One weak password is all it takes. But in reality, most passwords are weak and exploitable. And if that include FTP access, a complete stranger may end up owning your web site.
Don’t be fooled by these myths. To learn how you can protect your website and keep hackers out, give the SiteLock security experts a call at 855.378.6200. We are available 24/7/365 to help.
Budget should never be a reason for ignoring security. Neither should worries that you’re technically challenged. Here is a list of ten things you can do to help defend against cyber risks.
- Look in the window. Most business owners look at their websites and security risks from the inside-out, and never see what it looks like from a hacker’s perspective. Even a cursory inspection, but even better a basic website scan, could easily help you spot vulnerabilities quickly.
- Understand what the risks are. After all, you can’t fix them if you don’t know what they are. A little light reading on common business and website risks could tell you all you need to know. Focus on technical and procedural risks – from exploits of unpatched vulnerabilities to common errors by employees.
- Focus on passwords, and especially to your FTP account. Passwords can be the keys to the kingdom, and even the biggest security breaches at the biggest businesses have been traced to the smallest password mistakes.
- If your business has a lot of sensitive information to protect, consider having your website developers use a dedicated computer to access the website. This can significantly reduce the risks of things like keyloggers, which can steal website passwords and give hackers access. By using a dedicated computer that’s not used for anything else, you eliminate the risk of downloading a keylogger or other malware through drive-by downloads, email attachments, or infected files.
- Create a list of your Top 10 security rules, that everyone has to follow, and make that everyone knows what those rules are. Ten is a good number. You could easily have a hundred but too many could cause more harm than good. Focus on the biggest risks and vulnerabilities and pursue them relentlessly.
- If you accept credit cards, make sure you’re PCI compliant. Achieving PCI compliance is not difficult or expensive, especially for smaller businesses. Not only is PCI a great security place to start, you don’t have an option. Failure could mean big fines and the inability to accept credit card payments.
- Don’t forget to get physical. Not all attacks or exploits have to be digital or virtual. Hackers can walk into an unprotected business or rummage through a dumpster. And many of the information-rich laptops and tablets stolen in burglaries end up in the hands of cybercrooks.
- Control who you give access to. That can range from access to buildings and rooms to access to computers, networks, and websites, to access to specific files and privileges. It’s not about people getting access to sensitive data, it’s about the wrong people getting access.
- Choose your web hosting provider carefully. There are thousands to choose from so pick yours thoughtfully and focus on what they say about security. If they don’t talk about it at all, that could be a warning sign. If they do mention security, present them with your list of top security worries and risks and see what their response is.
- Review your security regularly, with a comprehensive top-down review at least a couple of times annually. Nothing stands still, and new vulnerabilities are being discovered or created daily.
We all want faster websites, no matter which side of the site we’re sitting on. Surfers want faster page loading times because they’re usually impatient and will quickly lose interest if the page appears to take more than a millisecond to load. And as a business owner, you should be concerned with speed too. You don’t want to lose valuable customers just because your website appears to be tranquilized.
Identity theft is the number one crime in America, a crime that claims an average of more than a million new victims every 30 days. And many of those victims are as a result of businesses that leak their customer information, usually by accident, and often through their website.
Confused about how to protect your website? It’s actually not that hard (hint: there are great companies that will do it all for you for less than a buck a day). But perhaps the easiest way to get your head around website security is to think of it like a PC. Except this is the most important PC you could ever have, because much if not most of your business probably relies on it.
Think about all the things you need to do to protect your PC, and how easy it is. For example:
- You protect it from malware by making sure you have good quality antivirus software. You constantly update that software so it can detect the latest threats, and you regularly scan your computer in case anything slipped past.
- You use a firewall, so that you can deny access to hackers and malware that constantly stalk the internet looking for vulnerable computers like yours.
- You practice computer hygiene. You’re careful about what websites you visit and what you download, so that you don’t inadvertently infect your computer.
- You make sure your PC is constantly patched. Most malware infections result from unpatched vulnerabilities, from Windows to Flash, so you want to patch those vulnerabilities before a hacker can exploit them.
- If other people have access to your PC, you let them know what the rules are, so that they don’t do something that breaches your good security habits.
- If there’s sensitive information on your PC, you take a variety of precautions to protect it. You use strong passwords that are hard to guess, you change those passwords frequently, and you guard them well. And you encrypt any sensitive information on that PC so that if hackers make it past your first lines of defense, your crown jewels are still safe.
- And you take a bunch of precautions, from backing up your data to regular maintenance, to make sure that your PC is always available to you.
The principles of protecting your website are not much different. Granted, putting them into practice can be a little more challenging, which is why you have companies like SiteLock to do it automatically and comprehensively.
But back to those principles. If you’re serious about protecting your website, think about it like you would any PC or laptop:
- Protect it from malware that can infect your website, steal data, and spread to your customers.
- Protect sensitive data, especially customer and credit card data, with layers of security that should include encryption.
- Use strong passwords, especially for web access and FTP, that are changed often and protected well.
- Teach all employees about your website security rules so that whenever they have access to your site, they use it responsibly.
- And regularly review and update your security so that it can match the latest threats, meets any regulatory requirements (like PCI), and does not end up being blacklisted by search engines.
Protecting your website can be challenging, but we can make it easy. Call SiteLock at 855.378.6200 to learn how to automate website security.
Dear Website,
Well, I’m not really sure where to begin. Not only was it the first time I’ve received a letter asking me for website security for Christmas, but also the very first letter I’ve ever received from a website. And trust me, I’ve been doing this for quite a while, long before that internet thingy I started for Al Gore.
I am very sorry to hear how worried you are about security, and especially hackers and malware. Not really for yourself, but for your owner. I know that most business owners are so busy building their dream, they sometimes forget that there are some very bad people out there who can too easily steal it all.
I have to admit, I wasn’t really sure where to start. If you’d asked me for a Kindle or an “i” something-or- other, or even just a toy or a scarf, that would be easy. But I feel a little like most business owners do, not really knowing how to protect you and even where to start.
But when I had some downtime on my sleigh (don’t worry – it has cruise control, so it was perfectly safe), I did some research and I hope you’ll be happy with what I came up with.
So here it goes:
You said you wanted someone to watch over you. Well, while I’d love to be able to do that, you understand I have my own full-time job, even in the off-season. So I sent your owner a very nice letter advising her that the best thing she could do for herself (and for you) was to sign up for SiteLock so that you aren’t so vulnerable to all those hackers and malware removal is automatic.
I love giving gifts like that. They’re not extravagant so there’s no need to feel guilty. They’re very simple to use, so your owner doesn’t have to spend her holidays pouring over an instruction manual or looking for batteries. And once you switch it on, SiteLock will guard you and your business around the clock, from the most advanced threats and determined hackers.
So what was next? Oh yes, better passwords. I hear that. It’s a nightmare for my toy business. Who knew so many employees, elves especially, are so careless with important passwords? Like FTP. I mean, why have a lock on the front door of your business if you insist on leaving the keys in it?
But I’ve got you covered. I sent every employee a password manager (don’t worry, some of the best are free). Now they can create and protect the most complex of passwords, and store them all in one safe place. So not being able to remember all those big and clumsy passwords is no excuse. And some of these programs will even remind you when it’s time to update your passwords, so forgetting is not an issue either.
Let me see, what else did you ask for? Sorry, my memory isn’t what it used to be. Oh yes, you wanted to get rid of all that outdated content and code on your website because you think it’s slowing you down. Tell me about. Every year about this time, when the rush dies down, we promise to tidy up the place so that we can run more efficiently as we prepare for next year.
And every year that resolution goes out the door as quick as Christmas itself. Not to worry. I created a special note just for your webmaster. In exchange for his list, I gave him a list, too. It’s pretty simple. I told him to go through every page of the site and remove any outdated content and images, and clean up or remove outdated code — we all know how dangerous that can be.
I also told him to get a patching and updating regimen in place so that all critical patches are installed as soon as they’re available, and outdated software and plugins don’t leave you vulnerable.
I think that’s it. Hope I’m not missing anything. When I think about it, I wish every website would send me a letter like this. I can easily find their owners and lean on them a little.
I mean, if this is the season of goodwill and joy, why shouldn’t it start with your website, the face of your business? For more information, just ask the experts at SiteLock. Give them a call at 855-378-6200. They’re available 24/7 to help.
No one likes talking or even thinking about bad things around the holiday season. It goes against the holiday spirit! But you may not have any choice. Bad things can happen to your business at any moment, and may even be happening as you’re reading this. Every day, millions of small business websites are being prodded and probed by automated hacker tools looking for unsecured websites they can hijack. It’s almost like a thief walking along a row of cars and nearly invisibly checking each door handle to see which ones are unlocked. Except hackers have an additional layer of secrecy. They don’t have to leave their homes to check websites, and they can see many of them – all at once.
Happy Cyber Monday! If your website has survived the Thanksgiving rush, let’s hope it doesn’t suffer from a post-Thanksgiving malware hangover. Because in the usual run up to Christmas, the only people busier than elves are hackers. And their favorite tool this year appears to be malware. What’s a website to do without trusted malware removal?
We took a look at many of the top security stories to hit the headlines in just the last couple of weeks, and it’s not surprising that most of them were about malware.
Security firm Symantec says that hackers have recently been very successful in delivering a nasty gift of malware to unsuspecting users by blasting out emails pretending to be antivirus software updates. What makes the emails so convincing, according to Symantec, is that they look very authentic and incorporate logos from most of the popular antivirus products – probably even those that you use. Because most users are likely to be familiar with the brands and use at least one of them, it makes the email appear more personal and genuine. And therefore more likely to be opened. And clicked – which is what causes the most damage.
Security firm Trusteer also announced that it discovered some of the most advanced financial malware yet, malware that not only has more features than any previous malware, but also creates a private and secure communications channel back to the hackers behind it. According to Trusteer, the malware can steal information entered into web forms as well as steal log-in credentials from dozens of the most popular FTP clients.
And this is especially dangerous to small businesses in the U.S. If this malware is able to steal the login and password for your business bank account, it will very quickly empty that account. And small business accounts are not protected by zero liability. So if the thieves steal every last dime you have in the bank account, you’re out of luck. And maybe even out of business.
To add to the misery, Trend Micro also reported that it discovered more than 200,000 different types of malware targeted at online banking in just the third quarter of this year, with at least 25% of them targeted at U.S. banks.
One of the most dangerous pieces of malware in circulation right now is Cryptolocker. This is ransomware. Once it infects your computer, it will encrypt or lock your files and then demand a ransom to unlock them so you can use them again. The ransom can vary, from $300 to more than $3,000. And even if you pay the ransom, chances are you still won’t get your data back. And thousands of users have fallen victim. Even one police department admitted that Cryptolocker had managed to kidnap their data.
And not to be left out, researchers have discovered that even the NSA has turned to malware to do their job, infecting at least 50,000 with a botnet that will allow them to spy on those computers.
To add website malware scanning and defense to your holiday to-do list call SiteLock at 855.378.6200.
