Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Small Businesses: Overconfident on Security

Most mom-and-pops think they've got customers' backs, but study suggests they may be big fat targets

WASHINGTON -- They're strutting like they've got the problem licked. But small businesses may be setting themselves up for a big fall, according to a new study.

In a report released here yesterday at the Visa USA security summit, the National Federation of Independent Business and Visa reported that small businesses are overconfident about their ability to protect their customers' data. In fact, most companies with fewer than 250 employees are storing sensitive data that they shouldn't, the study says.

"The entrepreneurial, go-it-alone spirit that drives many small businesses may actually work against them on important issues like security," said Rosetta Jones, vice president of Visa USA. "That's why creating educational programs that provide a blueprint for protecting small businesses and locking down customer information are so important." Visa and the NFIB will launch a security training program for small businesses later this year, she said.

Eighty-seven percent of small businesses believe that if customers saw how they handled their data, it would either affirm (48 percent) or strengthen (39 percent) the trust that customers put in their businesses, according to the report. About 84 percent of mom-and-pops protect customer information through encryption or passwords.

Yet more than half of small retailers are currently storing sensitive customer data that they are supposed to purge after a transaction is complete under the Payment Card Industry (PCI) Data Security Standard, the NFIB and Visa said. Thirty-seven percent are storing customer credit card numbers; 24 percent are storing Social Security numbers; and 28 percent are storing customer bank account numbers or copies of checks.

"In some situations, business owners may not be fully aware that their systems are storing this highly sensitive information," the report said. "Yet it is exactly this sort of personal information that criminals seek in order to commit payment fraud."

Few small businesses have data security processes in place, the survey shows. Most (57 percent) do not see securing customer data as something that requires formal planning, and many (39 percent) say they rely on "common sense" to keep data safe. Most of the respondents (61 percent) have never sought out information about how to properly handle and store customer information.

Some small businesses are more security-savvy than others, according to the report. The smallest companies -- those with fewer than 10 employees -- are the least likely to have a formal security plan (38 percent, compared to 55 percent of companies with 20-250 employees).

Companies that have security-savvy owners make better plans than those that don't. If the company's owner checks his or her credit report, shreds documents, locks up files, and keeps PINs separate from cards and accounts, about 55 percent of their companies have a security plan in place. If the owner does two or fewer of these things, only 37 percent have a formal security plan.

Visa has been pushing security hard on the retail industry via PCI standards, but most small merchants are not compliant and don't face the prospect of an audit, as larger merchants do. Visa and the NFIB said they will attack the issue with Internet-based training, in-market events, and "turnkey" written materials.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3331
PUBLISHED: 2021-01-27
WinSCP before 5.17.10 allows remote attackers to execute arbitrary programs when the URL handler encounters a crafted URL that loads session settings. (For example, this is exploitable in a default installation in which WinSCP is the handler for sftp:// URLs.)
CVE-2021-3326
PUBLISHED: 2021-01-27
The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
CVE-2021-22641
PUBLISHED: 2021-01-27
A heap-based buffer overflow issue has been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).
CVE-2021-22653
PUBLISHED: 2021-01-27
Multiple out-of-bounds write issues have been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).
CVE-2021-22655
PUBLISHED: 2021-01-27
Multiple out-of-bounds read issues have been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).