This weeks guest blog post is from Emily Ludwig and the team at eWAY Australia. eWAY process billions of dollars in payments every year across the globe for tens of thousands of businesses offering their community a safe and reliable payment gateway, the cornerstone to eCommerce growth and success.
According to the Commonwealth Government’s Stay Smart online guide for small businesses, cybercrime costs Australia around $1 billion per year, with 59% of Australian organisations having their business interrupted by cybercrime every month.
With statistics like those, now is the time, more than ever, that cybersecurity and safety measures are top of mind for business. In an age where everything can be done more conveniently online, it is vital to improving your business’s cybersecurity resilience so that your customers trust you with their personal information.
Here are 5 steps to take towards improving your cybersecurity:
1. Get better acquainted with the risks
No matter the size and scale of a cyber attack, the effects can be potentially catastrophic for your business. Attacks may include infections like viruses and malware or unauthorised access to your systems, as well as the systems of others. The effects of these can range from financial loss, like the theft of money and financial information, to business loss, which could include damage to your reputation and suffering significant downtime whilst you recover.
Familiarising yourself with how these attacks can be carried out is a way to start minimising these online threats.
2. Maintain due diligence and tech infrastructure
There are tools and processes that exist to safeguard your business from cyber threats and it is your responsibility to implement them. As a good practice, you should:
- Use spam filters to reduce the amount of spam and phishing emails that your business receives.
- Set up firewall security to protect your internal networks from the threats coming from the Internet and WiFi.
- Encrypt your data when stored or sent online, so only approved users can access it.
- Create strong passwords to protect access to your business devices, and change those passwords regularly.
- Consider cyber-insurance to protect your business against the costs and resultant downtime that may result from attacks.
3. Choose a cybersecurity partner
Keeping up-to-date with the latest in cybersecurity can be time-consuming, however, there are trusted companies out there dedicated to ensuring cybersecurity for small businesses.
An example of one of these is Trustwave, who offer TrustKeeper PCI Manager, an all-in-one security and PCI compliance product that helps protect your business from cyberthreats. It does so with a range of enterprise-level online tools including anti-virus, remote access security, point-of-sale device monitoring, mobile security, and more.
4. Stay compliant to a set of security standards
Ensuring you stay compliant with the requirements for companies receiving and storing credit card data is something that most businesses are not adhering to. The first step towards compliance is to adopt a cybersecurity policy that says in clear and simple terms; 1. What data you will collect and how 2. Where you will store it and 3. How you will protect it throughout its life. The protections consist of technology, people and business processes.
A cybersecurity policy typically covers:
- Roles and responsibilities for cybersecurity in your business
- System and network configuration
- IT Change control policy – who can approve and make changes to computer systems
- Keeping details on systems processing credit cards and account data
- Patching of security vulnerabilities
- Security scanning of networks, websites and computers
- Keeping administration passwords secure and safe
Data classification and handling typically covers:
- What types of data do you hold?
- What form is it in? Electronic? Paper?
- Where do you store it?
User acceptable use policy typically covers:
- Password requirements
- Email standards
- Handling of sensitive data, removable media and technology
- Locking of devices
- Social Media and internal access standards
Data Retention and Disposal typically covers:
- Paper and electronic media handling
- Firewall and network administration
- Anti-Virus and endpoint protection
- Encryption policy
- Remote access
- Cloud systems
- Incident Response Plan
- Protecting devices at point-of-sale
- Risk assessment process
- Supplier requirements
- Use of PCI-DSS Level 1 suppliers to process cards
- Use of PA-DSS software for processing cards
- Approving and monitoring suppliers and contractors
Fortunately, you are not alone and there’s support for you towards compliance. eWAY’s Merchant Trust Initiative provides a tool to generate a cybersecurity policy that is appropriate for your business. The protections you need to put in place are well summarised by the PCI DSS security standards, and while it focuses on account data, the principles can be extended to be a comprehensive security and privacy management system. We see that organisations which are PCI DSS compliant are less likely to be hacked and are less likely to suffer loss and damage to their customers’ trust.
5. Regularly update and review your security systems
As cyberthreats continue to evolve, so too do the security measures that exist to counteract them. It is important to regularly update applications, including anti-virus software, plugins and operating systems to fix any potential vulnerabilities that new and sophisticated cyber attacks may exploit.
It is also good practice to back up your business’s data regularly and retain the backup in a safe location, preferably protected or isolated from the device the data is being backed up from. This could be done by conducting an online backup via a cloud service or through an external storage device such as a USB or hard drive.
About the Author
Emily Ludwig is the Marketing Coordinator for AU / NZ at eWAY, a part of the Global Payments Network.
[Sources: Norton SMB Cyber Security Survey 2017. Australian Financial Review, 13 August 2018. More needs to be done by SMEs. On cybersecurity: Angus Taylor]