Dara Security

SMBs: Information Security Is Not An Option

July 28, 2014

News outlets are increasingly reporting stories of businesses hacked by cyber criminals. It is typically the well-established large company whose breach has affected millions of customers, causing other similarly sized companies to quickly take stock of their information security posture.

SMB Security Breaches Are More Common

However, protecting information is not reserved just for large companies that store a vast amount of customer data. Trends show that smaller merchants are falling victim to hackers as well. A recent article published by the LA Times states that “for every high-profile case, there are dozens of threats to confidential data held by everyday enterprises: wine shops, dentist offices, colleges, makers of dog tags, defense electronics, sports gear.”

Many SMB owners mistakenly assume that contracting card processing to a payment company transfers the obligation of protecting cardholder data to the contractor. However, the SMB is not released from this accountability. In fact, the PCI Security Standards clearly state that the SMB is responsible:

"Small merchants are prime targets for data thieves. It's your job to protect cardholder data at the point-of-sale."

SMBs Are Vulnerable

The statistics show that hackers take full advantage of SMBs that have not taken steps to protect their systems. Visa's recent report revealed that 96% of successful attacks were on merchants who process fewer than $1M in annual transactions. Opportunities abound for hackers as they have successfully used SMBs with vulnerable networks to gain access into a larger company's network, as was the case that caused the Target breach of 2014.

Should a breach occur, an SMB faces penalties, fines, and lawsuits. Many states require the breached organization to disclose the breach and notify customers if more than 500 consumers have been affected. Oftentimes, a small merchant with tight resources cannot recover from the financial loss and damage to reputation and brand.

Clearly, smaller businesses must now include information security as a part of doing business. Data protection should be considered as an investment to the longevity and preservation of the business rather than as a hindrance to the immediate bottom line. For larger companies, the Target breach was a wake-up call to protect their systems. However, Target's unfortunate incident should also drive SMBs to secure their networks as it was a smaller merchant's unsecured network that played an integral part in this record breach.