It seems that every month a new cyber-hacking event makes the headlines. Just recently, former Secretary of State Colin Powell’s emails were hacked and released; before that, the Democratic National Committee emails were stolen and made public. These hacks were clearly politically motivated and, in the world of cyber crime, relatively modest.
Most hackings have a financial motive. Take the example of Anthem, the second-largest health insurer in the U.S., from which 80 million records were stolen in January 2015. That doesn’t even compare with an eBay hack in May 2014, which involved 145 million stolen records, or the Myspace hack of 164 million records in May last year. Other hacking victims include the IRS, Home Depot, J.P. Morgan, Chase and Verizon—the list goes on. Recently the hospitality industry
Theoretically, any business, small or large, that stores personal information from which cyber criminals could benefit is a target. It isn’t just credit card information they’re after, but any personal information that could be of value: Social Security numbers, driver’s license details and even home addresses. Cyber criminals can compile this information to create an accurate profile of an individual, with the intention to commit identity theft. Moreover, small businesses are especially at risk because their computer systems are generally not well protected, making it easier for cyber criminals to gain access. TrendLabs, a company that provides computer security hardware and software, has estimated that cyber criminals siphon over $1 billion per year from the accounts of small businesses in the U.S. and Europe.
Perhaps you feel that your spa is so small and the odds of an attack so slim that you’re prepared to take your chances. The reality is that, regardless of your spa’s size, its computer system is a potential target right now. However, you can lower the odds of a breach or minimize its damage with some basic knowledge and a few key security measures.
How Bad Can It Be?
Let’s take a hypothetical trip to Hacksville. You’ve just discovered that all of your clients’ credit card data has been stolen by a computer hacker. Now what?
First of all, don’t make the mistake of thinking that all you have to do is call the police. Any business that takes credit cards must abide by the Payment Card Industry Data Security Standard (PCI DSS). So, when a business owner even suspects a data breach, PCI data standards require an outside computer forensic examiner to conduct an investigation. This process may last days or weeks and will involve the shutdown of your point of sale (POS) equipment. Unless you can afford to close down for an indefinite period, your only choice is to lease or purchase another POS system to use during the investigation.
If the examiner finds that a breach has indeed occurred, the fun has only just begun. Every state except Alabama, New Mexico and South Dakota has requirements for business owners who have suffered a data breach. They define what constitutes a data breach, and determine the timing and method of notification. Sometimes the business owner may also be required to pay for clients whose data has been compromised to subscribe to a credit monitoring service such as LifeLock. The National Conference of State Legislatures’ website has links to the laws of the relevant 47 states, all of which can be accessed on ncsl.org by searching “security breach notification law”
The business may also have to bear the cost of sending new credit cards to the customers affected by the data breach. First Data, an Atlanta-based, global payment solutions technology company, estimates that the average out-of-pocket cost for examination and compliance for a small business that suffers a data breach is in excess of $36,000. That’s in addition to any money that may have been stolen.
To harden your business’s computer system against potential hacks, start with your staff. Many companies become victims of cyber theft due to employee negligence, so it’s essential to establish and enforce rules for keeping your system safe. My law office’s sacred commandments are listed to the left. Do you think my employees have consistently followed these simple rules? None of them have, and yours probably won’t, either. Security policies are difficult to enforce, which is why about half of all small businesses fail to do so.
In addition to committing outright theft of data or money, some hackers simply want to destroy your data. One way to prevent this particularly insidious type of cyber attack is to consistently back up your data such as client lists, client files, scheduling calendars, and financial and billing data—in short, any data whose loss might cause a significant delay in the conduct of your business. Many businesses overlook this and that’s a critical mistake. Keep in mind, however, that merely backing up data is an incomplete strategy. I’ve experienced three computer failures during my career, and each time I had an up-to-date backup copy of my data. However, I was able to restore the data to my system in only one instance; in the other cases, the restore function of the system I was using failed. In most cases, data is backed up automatically and it’s easy to check that it was successful. However, the restore function is manually generated and usually done only in an emergency. That’s why every backup system should include periodically restoring the data to see if it is still viable.
Finally, if you haven’t had a computer system checkup lately, I strongly recommend you bring in an expert (not just an “IT guy”) at hardening systems against cyber attack. There’s a lot that can be done: for example, making sure the operating system is fully updated and any unnecessary programs removed. Internet browsers and email programs have settings that can be changed to make them more resistant to attack—including the option to block suspicious-looking emails until you manually allow them to be unblocked.
Think of your computer system as a house with 10 back doors. You wouldn’t leave the back door to your home unlocked; nor should you leave the back doors to your computer system unattended. You never know what kind of unwanted guest might wander in, what they’ll do once inside and how long they may intend to stay.
–by Michael L. Antoline, J.D.