Shop Talk

Small-business owners need to understand and protect customers’ and employees’ data and intellectual property

This Cary Dairy Queen  was one of about 395 locations infected with the Backoff malware on point-of-sale systems compromising payment card, customer names, numbers and expiration dates.
This Cary Dairy Queen was one of about 395 locations infected with the Backoff malware on point-of-sale systems compromising payment card, customer names, numbers and expiration dates.

Andrew Valkanoff said if hackers can get into Target and J.P. Morgan’s internal systems, he feels like the small guy doesn’t really have a chance.

“We know what we can do to make it as safe as possible,” he said, “but the technology is ever changing.”

Valkanoff is a Dairy Queen franchise owner whose Cary restaurant was among the nearly 400 locations affected by a malware intrusion into point-of-sale systems. Credentials from one of Dairy Queen International’s vendors were used to compromise systems at Dairy Queens and one Orange Julius in the U.S. and access credit and debit card data at those locations.

In the past three months, there have been three announcements indicating that similar instances occurred at nearly 800 retail locations for two companies and one nonprofit organization. Those breaches affected a The UPS Store in Durham, a Goodwill Industries thrift store in Mebane and the Dairy Queen in Cary, along with locations in Wake Forest, Fuquay-Varina and Rockingham.

Since 2005, more than 6 million North Carolina residents have been affected by nearly 2,300 security breaches, which range from improperly discarded paper records to email phishing scams and hackers with unauthorized access, said N.C. Attorney General Roy Cooper.

October marks the nation’s 11th annual National Cyber Security Awareness Month, which aims to engage and educate the public about security breach risks and cybersecurity. Such risks were highlighted by the Oct. 2 disclosure by J.P. Morgan Chase that data had been compromised, affecting about 76 million households and 7 million small businesses.

This week’s focus of National Cyber Security Awareness Month is aimed at small and medium-size businesses, as personnel data, financial spreadsheets and intellectual property could be a target.

“The great benefit we get from technology does have a down side, and all businesses can be at risk of a security breach because criminals are using technology now more than ever,” Cooper said.

Point-of-sale systems hit

Point-of-sale intrusions have been a high-profile thorn for many retailers over the past few years.

On Aug. 22, the U.S. Department of Homeland Security issued an advisory encouraging organizations to check for possible point-of-sale malware infections. One particular family of malware, with an original detection date of October 2013, was not recognized by antivirus software solutions until August 2014, the advisory stated.

In July, the National Cybersecurity and Communications Integration Center and the U.S. Secret Service issued a warning about a Backoff malware attack, in which seven point-of-sale vendors and providers had identified affected clients. The Secret Service estimated that more than 1,000 U.S. businesses were affected.

In point-of-sale intrusions, organized criminal groups operating out of Eastern Europe are compromising systems and installing malware, according the 2014 Data Breach Investigations Report, which includes contributions from 50 global organizations.

“Such (criminal) groups are very efficient at what they do,” the report states. “They eat POS systems like yours for breakfast, then wash ’em down with a shot of vodka.”

Meanwhile, the report classifies point-of-sale intrusions as just one of nine patterns associated with 95 percent of the data breaches in the past three years.

Other patterns include Web application attacks, including vulnerabilities in code; insider misuse; physical theft and loss of data; miscellaneous errors; crimeware or any malware that doesn’t fit under point-of-sale attacks or espionage; payment card skimmers implanted to read magnetic strip data from a payment card; cyber-espionage; and denial of service attacks intended to compromise the network of systems.

Small-business owners, Cooper said, need to be on the lookout for high- and low-tech breaches.

Low-tech breaches might include improper release of information, such as throwing paper records with customers’ personal information in a dumpster. Improper release of information affected more than 55,000 people in the state in 2013.

Low-tech risks can be addressed by shredding surplus documents and only collecting personal information when it is needed, Cooper said. For example, don’t obtain job candidates’ Social Security numbers until they are hired.

Breaches must be reported

In 2005, Cooper successfully shepherded the Identity Theft Protection Act into a law that requires all companies that do business in the state and collect personal information to take measures to protect against unauthorized access.

The law, along with a 2006 addition, requires businesses, state and local agencies to notify consumers if their personal information is breached. The law compels those organizations to report security breaches to the Consumer Protection Division of the Attorney General’s office.

The law also allows affected consumers to seek a security freeze on their credit reports, which prohibits a consumer reporting agency from releasing information without authorization. Businesses that don’t comply face fines of up to $5,000 per violation and risk the tripling of actual damages in civil law suits.

The question that small-business owners are asking Alicia Gilleskie, a data and technology attorney at Smith Anderson law firm in Raleigh, is how can they protect their companies on their typically limited budget.

“I think what we have seen is some simple actions can go a long way,” Gilleskie said.

Owners should inventory and understand their data assets, digital and paper records that their company maintains on employees, customers, business contacts and others. That includes credit card information with paper records stored on or off site and data maintained by third-party vendors.

“Usually, somebody with the company’s technical systems would be critical to this analysis,” she said.

Knowing what data owners have and where it is located will allow them to explore their risks, related state and federal regulations, and designate a privacy officer at the company.

The plan should also include some simple workforce education on how data breaches come about and what can be done to prevent them.

In addition, an outside information technology company should perform a risk assessment.

Craig Petronella, president of Petronella Technology Group in Raleigh, said owners can protect themselves by having a good backup system, testing it regularly and establishing a security policy that defines when everything is patched.

“And the protocol to fulfill that,” he said. “Then there should be testing of the patches.”

Other measures include implementing two-step password authentication and having a firewall that is patched and up to date. They should implement monitoring that goes beyond a firewall and looks at the traffic to detect malicious activity.

Also, Petronella said, a large number of people are sending sensitive information via email, which is not secure.

“Think of email as a postcard where all info is written on the outside of the package,” he said.