In the final weeks of 2013, Target experienced a massive security breach when hackers gained access to the credit and debit card information of thousands of holiday shoppers. Though shocking at the time, this was just the first of many big business security breaches to dominate the news. Throughout 2014, numerous well-known businesses, such as Goodwill, Home Depot, Michaels and Sony, were the victims of security breaches in which hackers gained access to personal customer or employee data. While these big business security breaches were well-publicized, the many small business breaches went relatively unnoticed — despite the fact that breaches at small businesses make up a large portion of the overall breaches that happen in the U.S. According to Symantec’s Internet Security Threat Report, by 2012 small business breaches had already risen to 31 percent. These security breaches can rob small businesses of their hard earned reputations, causing customers to drift away and revenue to disappear.
In March of 2014, El Agave, a Mexican restaurant in Fairmont, Minnesota, learned just how damaging a small-business security breach can be. “Someone was spending our customers’ money all over the United States, and the last time the customers used their credit cards was at our establishment,” said restaurant owner Elfego Acosta. “Then, two of these customers said they hadn’t used their cards to buy anything at the restaurant recently, but they had in the past. Their credit card information had been saved in the restaurant’s POS [point-of-sale] software system.”
Acosta said, “A lot of customers had it in their minds that we had something to do with the breach. They were worried about how we handle credit cards and payments after that. If they lost something, we lost three times more than that.” Acosta believes that the security breach affected business at El Agave for about six months, causing sales to drop by approximately 35 percent during that time.
Collecting customer data has become an everyday practice for most businesses regardless of their size. Every time a consumer makes a purchase online, signs up for a loyalty program, or buys a monthly membership — for example, to a gym or local car wash — he or she is providing personal data that is then stored by the company. And any stored customer data is vulnerable to hackers. John Cassady, CEO of Philadelphia-based EverWash Car Club, a mobile app that enables users to sign up for monthly memberships with local car wash operations, said, “It’s critical for small businesses offering any type of online transaction to hire the right people to build the proper ecommerce platform. They should hire experts who have a real understanding of what security means because there are a lot of options out there, and if you don’t have the right person or development team who can make sure that every aspect of the customers’ journey provides a seamless, safe and protected environment, then chances are they are not providing customers with a very secure shopping experience.”
Very often, small businesses, especially those without a web presence, believe they are too small to be targeted and, therefore, they do not need to hire an IT professional to build a secure network. But small businesses can be easy prey for hackers attracted to credit and debit card information that could be stored in POS software. After the security breach at El Agave, Acosta said, “We hired a software and networking guy to redesign our network, hoping it would be a little harder for others to access. We’re not like Target or Sony. We only have two computers. I’m not a computer guy at all, but we did what we could, and we wanted our customers to know that we were working on it.”
In addition to hiring an IT professional who can ensure a business’s network has up-to-date security, owners also need be careful when purchasing software. Phil Ives, co-founder of software development firm Rain Everywhere and the lead developer for EverWash Car Club, explained, “Whatever the end computing resources are, whether it is a website or an accounting program, you want to make sure that those services are offered by well-known providers with clear security policies.”
Another critical but often overlooked risk to small business security is passwords — especially passwords that are too simple, used repeatedly at multiple websites, or shared with employees. “For years, I used two levels of passwords: I had a hard password for my bank account and a couple other really important things but when little websites needed me to register, I used a password formula that was simple and always the same. But using the same password is one of the biggest security issues for businesses. If hackers get ahold of that password, they can try it at every single website,” Ives said.
To increase a password’s security, Ives recommends using a password manager app, such as Dashlane or Apple’s Keychain. These apps generate a different password for every website they access. “Password managers are important for small businesses because very often passwords are shared with employees. A good password manager can change all the passwords, so if somebody quits or gets fired, every single password changes. The business owner doesn’t need to sit down and spend hours changing them all,” Ives said.
In the aftermath of last year’s high-publicity security breaches, consumers are more cautious than ever about sharing personal information with businesses; however, this information can be essential for companies with targeted marketing campaigns, loyalty programs, or monthly memberships. Ives points out, “Consumers are going to be asking security questions more and more. That’s why it is important for small businesses to be clear about why they are collecting the information that they are. Collect as little data as you need to.”
Good communication with customers will go a long way toward building trust. Gene Marks, founder of The Marks Group PC, which sells customer relationship management business software, encouraged owners to have a clear security policy that they share with customers. Such policies should explain why the data is being collected and the measures being taken to protect that data, such as the specific software being used or password-changing procedures. “This will show your customers that you care about the privacy of their data and that you are taking steps to make sure their data is not used outside of the company,” Marks said.
Once customers discover hackers have gained access to their personal information, they’re often very reluctant to trust the business again — even with something as simple as a purchase. After word of the security breach at El Agave spread around the small town of Fairmont, Minnesota, many customers were reluctant to return to the restaurant, convinced that the establishment had played some role in the theft. To restore the business’s reputation, Acosta and the owner of El Agave started posting letters to the business’s Facebook page, trying to explain what had happened. Then, things began to turn around when another small business owner in the community began publically defending El Agave on Facebook. “She was posting on Facebook, encouraging people to come to El Agave for a margarita or to spend some money. She was trying to tell people that they didn’t need to be rude because of one accident,” Acosta said.
Grateful for what she was doing, Acosta offered to reduce her bill at the restaurant by 20 percent anytime she and her friends wanted to come in. Soon, the restaurant decided to make this same “customer appreciation” offer to all its customers, reducing every bill by 20 percent for a period of time. “Then, people started spreading the word that we were trying to get their business back. That’s how we got back on track,” Acosta said.
For consumers, security breaches can be scary as they imagine their personal information — like their home address, debit card number or license plate number — in the hands of hackers. For small business owners, though, the cost of repairing the damage done by a security breach is almost immeasurable. After a breach, there is no telling what it will take to regain the customers’ loyalty or how many sales will be lost in the process. The best approach owners can take is not to wait to implement security measures but rather to realize that security breaches are like all theft — they happen every day to businesses of all sizes. And it is always better to be safe (and network secure) than sorry.