Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Small Businesses: Overconfident on Security

Most mom-and-pops think they've got customers' backs, but study suggests they may be big fat targets

WASHINGTON -- They're strutting like they've got the problem licked. But small businesses may be setting themselves up for a big fall, according to a new study.

In a report released here yesterday at the Visa USA security summit, the National Federation of Independent Business and Visa reported that small businesses are overconfident about their ability to protect their customers' data. In fact, most companies with fewer than 250 employees are storing sensitive data that they shouldn't, the study says.

"The entrepreneurial, go-it-alone spirit that drives many small businesses may actually work against them on important issues like security," said Rosetta Jones, vice president of Visa USA. "That's why creating educational programs that provide a blueprint for protecting small businesses and locking down customer information are so important." Visa and the NFIB will launch a security training program for small businesses later this year, she said.

Eighty-seven percent of small businesses believe that if customers saw how they handled their data, it would either affirm (48 percent) or strengthen (39 percent) the trust that customers put in their businesses, according to the report. About 84 percent of mom-and-pops protect customer information through encryption or passwords.

Yet more than half of small retailers are currently storing sensitive customer data that they are supposed to purge after a transaction is complete under the Payment Card Industry (PCI) Data Security Standard, the NFIB and Visa said. Thirty-seven percent are storing customer credit card numbers; 24 percent are storing Social Security numbers; and 28 percent are storing customer bank account numbers or copies of checks.

"In some situations, business owners may not be fully aware that their systems are storing this highly sensitive information," the report said. "Yet it is exactly this sort of personal information that criminals seek in order to commit payment fraud."

Few small businesses have data security processes in place, the survey shows. Most (57 percent) do not see securing customer data as something that requires formal planning, and many (39 percent) say they rely on "common sense" to keep data safe. Most of the respondents (61 percent) have never sought out information about how to properly handle and store customer information.

Some small businesses are more security-savvy than others, according to the report. The smallest companies -- those with fewer than 10 employees -- are the least likely to have a formal security plan (38 percent, compared to 55 percent of companies with 20-250 employees).

Companies that have security-savvy owners make better plans than those that don't. If the company's owner checks his or her credit report, shreds documents, locks up files, and keeps PINs separate from cards and accounts, about 55 percent of their companies have a security plan in place. If the owner does two or fewer of these things, only 37 percent have a formal security plan.

Visa has been pushing security hard on the retail industry via PCI standards, but most small merchants are not compliant and don't face the prospect of an audit, as larger merchants do. Visa and the NFIB said they will attack the issue with Internet-based training, in-market events, and "turnkey" written materials.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10737
PUBLISHED: 2020-05-27
A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the hom...
CVE-2020-13622
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (assertion failure) because a property key query for a Proxy object returns unintended data.
CVE-2020-13623
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (stack consumption) via a proxy operation.
CVE-2020-13616
PUBLISHED: 2020-05-26
The boost ASIO wrapper in net/asio.cpp in Pichi before 1.3.0 lacks TLS hostname verification.
CVE-2020-13614
PUBLISHED: 2020-05-26
An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification.