Visa, Verizon, and IBM on How Small Businesses Can Protect Customer Data

By: Mark Hamstra

For most small and medium-sized businesses (SMBs), the biggest risks come from hackers breaking into systems to steal customer information, according to security experts. — Getty Images/Oscar Wong

Why it matters:

• For most small and medium-sized businesses (SMBs), the biggest risks come from hackers breaking into systems to steal customer information, according to security experts.
• The average cost of a data breach was $4.35 million in 2022, according to IBM and the Ponemon Institute.
• Businesses can protect against cyberattacks by incorporating multiple layers of protection, staying on top of cybersecurity threats, such as various forms of ‘social engineering,’ which trick people into giving sensitive information for illegitimate uses, and by training employees on how to avoid attacks, security experts said.

The acceleration of e-commerce and expansion of digital touchpoints during the pandemic has created a rich environment for data thieves, according to financial security experts.

“Many small and medium-sized businesses, and large businesses for that matter, have adapted to new ways of driving commerce,” said Dustin White, Vice President, US Risk, Visa. “Brick-and-mortar outlets had to digitize for the purposes of e-commerce, and that seismic shift toward the digital movement of money has been sustained.”

In this environment, it’s critical that customers feel confident in their ability to share their credit card information online, while at the same time they can conduct transactions as seamlessly as possible, he said.

He noted that at Visa, 90% of fraudulent transactions globally occur in a “card not present” environment, such as during e-commerce transactions. That’s up from 84% before the pandemic.

Watch for malware that targets small business employees

For most small and medium-sized businesses (SMBs), the biggest risks come from hackers breaking into systems to steal customer information, according to security experts. One of the most common ways they do that is by targeting employees in the company with some type of malware.

“What we see in the news is all about those larger enterprises getting breached, but the crimes are also happening in small and mid-sized businesses,” said Aparna Khurjekar, Chief Revenue Officer of Verizon Business, citing various forms of what is called “social engineering.” This refers to any type of attack that tricks people into giving sensitive information for illegitimate uses.

“People are pretexting and smishing and phishing, and pushing malware into the endpoints and then going from there,” she said. Pretexting refers to using a fake story to persuade users to give personal information, such as an account password. Phishing refers to entities posing as a trusted contact to gain sensitive information or to convince users to download malware, and smishing is a type of phishing that uses mobile text messages specifically.

Other societal and technological changes that add to the cybersecurity risks that SMBs face include the trend toward working outside the office, which has resulted in more employees potentially logging into corporate networks from unsecure locations; the increasing use of mobile devices to access corporate networks, and the growing sophistication of technologies such as artificial intelligence (AI) and quantum computing.

Beware of advanced hacking technologies: ‘The bad guys are going to start using it more and more to design new types of attacks’

AI, while it performs useful functions in helping devise ways to protect customer information, could also be used by cybercriminals in new ways to unlock gateways into business networks and steal customer data, said Jeff Crume, Distinguished Engineer, IBM Security Americas, in a recent presentation. Such uses of artificial intelligence for nefarious purposes are called “adversarial AI,” he said.

“The bad guys are going to start using it more and more to design new types of attacks,” said Crume.

Quantum computing, a type of computer system capable of solving problems too complex for traditional computers, is another growing threat, he said. These systems could be used to break the cybersecurity algorithms that have long protected data on traditional computer networks.

According to the Cost of a Data Breach Report 2022 from IBM Security and Ponemon Institute, the average cost of a data breach reached an all-time high of $4.35 million last year, up 2.6% over the average cost in 2021 and up 12.7% over the average cost in 2020.

Meanwhile, Verizon’s 2022 Data Breach Investigations Report found that 82% of breaches involved a human element, which could include the use of stolen credentials, phishing or simply an error.

“People continue to play a very large role in incidents and breaches alike,” the report concluded.

It is especially important for SMBs, which may not have the resources to invest in the strongest cybersecurity defenses, to remain vigilant about protecting their customers’ data, these security experts said.

What SMBs must know to protect against data breaches

Verizon Business’s Khurjekar outlined a process SMBs can undertake to help protect their customer data against cyberattacks:

• Start from the get-go: Security should be built in from the very beginning of a company’s operations, Khurjekar said.

“Don't think of security as something that comes in later and gets overlaid,” she said. “With everything you do, with all of the information that you have, and every kind of data that you are storing, start with the right kind of architecture.”

That includes using the right solutions for storing data in the cloud and ensuring that you have a tight grip on how that data is accessed.

• Partner with reputable companies: Often, security breaches occur when third-party vendors such as suppliers and service providers are compromised, so the SMS should vet their partners carefully if they are accessing a company’s network.

“You could be absolutely perfect, but then you connect a device or an application that’s the Trojan horse, and you are as vulnerable as the next person sitting next to you,” Khurjekar said.

• Ensure that you have secure network connections. This includes making sure that your business is on a safe network, including for Wi-Fi connectivity.

“Companies like Verizon are inherently working on end-to-end network security, DDoS [distributed denial of service] protection, protection for their gateways, and more,” Khurjekar said. “That's where I think businesses can be doing a lot.”

• Consider all endpoints: Businesses can have a lot of endpoints for connectivity, including employees’ mobile phones, tablets, smartwatches, and other devices.

“What we recommend to a lot of our small to medium-sized businesses is to own your devices,” said Khurjekar, rather than letting employees use their own personal devices to connect to the company’s systems.

“You can't control that device as well as you would be able to control a device that you own,” she said, citing what she calls “mobile device management,” which allows companies to separate corporate applications such as email and calendars from employees’ own applications.

• Employ a mobile threat defense: Businesses should also add another layer of cybersecurity with a solution that can help protect devices by detecting compromised applications and blocking access to unsecure websites, for example, Khurjekar said.

• Train employees: There is a wealth of information available online for SMBs seeking to better protect their customer data, including annual reports on cyberattack trends from Verizon, research from the Global Cyber Alliance and advice from government agencies such as the Federal Communications Commission. Businesses need to make sure they are up to speed on the latest information about cybersecurity, and make sure their employees know how to best prevent social engineering and other intrusions.

White of Visa agreed that training employees about the potential for data theft is key.

“Getting educated and staying up to date on the latest cyberthreats is really important,” he said, noting that Visa has extensive information on security that businesses can use to help protect themselves and their customers.

SMBs also need to have a system in place to regularly review their potential vulnerabilities, White said. Hackers are specifically seeking out businesses that have lax security, he pointed out.

One trend in cybersecurity that shows promise for preventing cybercrime is multifactor authentication (MFA), said Crume of IBM. MFA refers to multi-level security that requires users to have two or more credentials to log in, such as both a password and biometric identification.

“It’s not a new idea, but the idea that I can prove my identity to the system based upon something I know, something I have, and something I am — those three things together or some combination … can lead to better security,” he said. “We’ve seen more widespread adoption of more multifactor authentication, [and] that’s going to be a good thing for us all.”

In the meantime, Crume said he expects cyberthreats to continue.

“It’s going to be a little bit of Groundhog Day — what we have seen in the past, we will continue to see in the future, until we learn how to solve these problems,” he said.