September 12, 2014 – The U.S. is still waiting to determine the scale of the recent credit card breach at Home Depot, but there are already key takeaways for business owners and consumers. While this blog references Home Depot, it is equally relevant to the numerous breaches we have seen over the past year and the inevitable breaches yet to occur.
Breach statistics are often staggering, stretching into the millions and tens of millions of compromised records. How can an individual business or consumer protect themselves against such intimidating odds? Luckily, many breaches share characteristics that provide insight into how we can improve our own security and try to avoid becoming victims of these increasingly advanced cyber criminals.
As the details of the Home Depot breach continue to unfold, we wanted to provide some key takeaways that both consumers and business owners can implement immediately to take control of their privacy and security:
Takeaways for Consumers
- Avoid Using Your Debit Card – Federal Law protects individuals from fraudulent credit card charges, while debit card charges are only refunded under certain circumstances and with limits on reimbursement amounts. Debit cards may also be used for cash withdrawals at ATMs. Debit card PINs have not been officially included in the statements coming out of Home Depot, but well-respected security analyst Brian Krebs reports that banks are experiencing a “spike in PIN debit card fraud.”
- Set Up Alerts for Unusual Activity. Most larger banks and lending institutions allow for users to set up alerts for activity outside of certain parameters. For example, purchases over $300, purchases made out-of-state or web banking sessions started on an unknown device. These alerts allow consumers to quickly react to fraudulent activity instead of waiting for monthly statements.
- Request an EVM Chip + Pin Card. The U.S. will move to more secure credit cards, known as “Chip + PIN cards,” in October 2015. While not foolproof, these cards will help protect consumers from many common credit card fraud schemes. A growing number of banks are offering Chip + PIN cards ahead of the October 2015 deadline and retailers (with Target unsurprisingly leading the charge) are moving quickly to install Chip + PIN-compatible card terminals. Chase provides an introduction to this technology here.
Takeaways for Business Owners
- Commit to Information Security. We consistently hear that companies who experienced incidents were negligent when it came to protecting their customers’ data (even large corporations with robust IT infrastructures have failed to adequately address information security risks). We live in a world where SMBs as well as sole proprietors must evaluate their risks and implement basic controls. Putting it simply: doing nothing is negligence. Our Information Security Baseline Review provides a comprehensive view of an organization’s control environment and is adaptable to businesses of all sizes to help provide a strategy for getting started, or as we like to call it a “STARTEGY.”
- Evaluate Third-party Vendors and Contractors. When the dust had settled at Target (as well as the Goodwill and others) it was determined that a third-party vendor was the hacker’s point of entry. It waits to be seen if Home Depot has suffered from a similar vulnerability. Organizations must be diligent in reviewing third-party agreements, ensuring their vendors have adequate controls in place and restricting system access to only those areas needed to conduct business. Far too often these outside entities are the weakest link in the chain.
- Consider Cyber Liability Insurance. There has been a sharp spike in the adoption of cyber liability insurance over the past 12 months as companies realize they must prepare for the seemingly inevitable security incident. Coverage often includes the assignment of a breach coach to provide guidance in addition to helping alleviate the costs of response activities, including lost revenue.
For more information, please contact William Prohn at firstname.lastname@example.org.
About the Author
William Prohn CISSP, CISA, CGEIT, CRISC
Bill oversees all aspects of information technology for the firm, and provides consulting services to a wide spectrum of Dopkins’ clients. He has over 30 years of experience in accounting and business information systems. His specific interests include creating meaningful, practical management information using computer technologies, and the security of business information and systems.