Even though federal officials have recently taken down a large international credit card fraud ring, IT security experts are warning small and medium-sized businesses that the long-term prospects for this type of criminal activity are still alarmingly strong. All legitimate organizations that deal with sensitive financial information such as credit card numbers and expiration dates need to understand how to protect their customers' privacy better. This involves understanding how the criminals in the recent card fraud ring operated.
The FBI has expressed reluctance to go into detail about the methods used by the hackers, but IT security experts are well acquainted with typical patterns of cyber-criminal activity. According to George Tubin, who specializes in online security and financial fraud, one likely route into a company's system is through a phishing attack: "It's all malware-driven… attacks are on the rise," he says, adding that the business "has employees that are using PCs that they take home and get hit with malware. Then they come back to work and connect to the network. And it's easy pickings for hackers, because these companies are just not used to protecting themselves from this sort of thing."
Bill Wansley, who possesses expertise similar to Tubin's, concurs, though he adds a caveat related to the need for managed security instead of an ad-hoc approach to the issue: "Just one gap exposes everything and everyone. It only takes one phishing attack to get in… Add-on security patches aren't going to protect you."
What Organizations Can Do
One of the most important things an organization can do to protect its information assets is to train employees to recognize phishing attacks. Although such attacks once emanated almost exclusively from email accounts, cyber criminals are now using a variety of routes in an attempt to establish trust so that a worker will let slip confidential details. Social media is a place where phishing often occurs, but hackers are also using text messages and even voice phone calls as they try to impersonate trusted organizations or individuals.
Better-trained employees are a primary line of defense against phishing, but so is the increased use of encryption. When all sensitive data in encrypted using ‘strong’ methods with complex keys, it is inherently more secure. '
SMBs may not have the resources at hand to achieve full encryption of the data they need to protect. The solution for many lies in turning to outsourced IT to help fulfill this essential goal.