During dinner with a restaurant-focused solution provider one evening at RetailNOW, we began discussing recurring revenue opportunities. Currently, I see security as the single most important add-on service a solution provider can be offering his or her customers — regardless of vertical. Indeed, every business today is at risk of suffering loss of business from malware, ransomware, or breach. Surprisingly, the solution provider I was dining with replied with a very serious “really!?” In their mind, offering PCI-compliant software meant they didn’t have to worry about security. In fact, they went so far as to say that they thought security was old news and something the industry had successfully dealt with through PCI and EMV.
Luckily, my opinions to the contrary were confirmed the very next day when a panel of industry experts took to the RetailNOW main stage to discuss the critical nature of security. Here are my key takeaways from the session.
Ensure all software (even non-POS) is patched. Chris Novak from the Verizon Threat Research Advisory Center pointed out that cybercriminals are now targeting any business that hasn’t taken necessary steps to protect itself. For example, 70 percent of attacks were discovered to have happened through unpatched vulnerabilities.
Ensure that all data is encrypted. Novak also urged attendees to assume that criminals will somehow be able to get their hands on their data or their customers’. In those cases, you want the data they obtain to be worthless by having it encrypted.
Don’t take security shortcuts with remote access. Stoddard Lambertson from Visa highlighted the importance of PCI DSS requirement 8.3, using multifactor authentication (MFA), when remotely accessing your customers’ IT environments. Additionally, use unique passwords for each customer, not a single password common to all.
Protect yourself. Nathan Sweaney, RSPA Security Advisor, shared how easy it is for criminals to breach a solution provider — VAR or ISV, access their CRM and company information, and then call or walk into a customer site posing as the provider. Ensure your systems are secure, so you don’t become the attack vector.
Educate your staff and customers about social engineering tactics. Novak shared that there’s been a surge in social engineering, whereby criminals dupe end-users into giving them vital information such as passwords or use phishing emails that users are tricked into opening. These attacks seem obvious but are highly successful, so constant training and reminders are warranted.
Lock down unnecessary ports. Today’s criminals use software that will scan every IP address on the Internet and every port to see what’s open. Those open ports are then passed onto another criminal who will specialize in trying to get through the port. If they’re successful, another criminal will later try to deploy malware or access vital data that can be held hostage. Use vulnerability scanning to find and close any unnecessarily opened ports. Repeat scans frequently because you can’t be sure if another vendor working your customer has opened ports and created an attack vector.
Become a QIR. Troy Leach of the PCI Council admitted that early iterations of the PCI Qualified Integrators & Resellers (QIR) program were costly and overly demanding. The latest version of the QIR program is affordable and addresses the essentials without getting too bogged down in technical details that a reseller doesn’t need to know. Contact Nathan Sweeney to learn more about the QIR and ways the RSPA might be able to assist you.
Use a layered approach to security. Don’t assume your vendor partners have you covered. Leach advises you to follow PCI DSS best practices, use a combination of tokenization, point-to-point encryption, and EMV to devalue data and make your merchants unattractive to criminals.
One additional point that was made very clear by the panel is that the need for security isn’t going away. As the trusted advisor to your customers, you must remain vigilant and continue to educate yourself on the latest threats. Nearly 60 percent of SMBs don’t recover from breaches and are out of business within six months of the event. Protect your customers from joining this statistic.