Cert NZ deputy director Declan Ingram. Photo / Supplied
Pandemic lockdowns have seen a boom in online retail.
But Declan Ingram, deputy director of the Crown's Computer Emergency Response Team (Cert NZ), is warning small businesses not to cut corners in their rush to reach customers over the internet.
Ingram says a case in point is a North Island small business - which prefers not to share its shame - that came a cropper after not following a key payment processing standard. keep reading.
It pre-dates the pandemic, but holds valuable lessons for those caught in the Covid rush to organise an "e-tail" presence.
It began when the business' owners noticed people had started to complain
their website's payment page was behaving oddly.
"An attacker had got into their website and changed the payment process," Ingram says.
"So when someone entered information into their cart for the things that they wanted to buy, and then and then clicked pay, it took them to the attacker's website, which was skinned to look exactly the same as the real website - but they intercepted and took all of the payment card details."
One of the owners - who requested anonymity - says, "Fortunately we identified the breach quickly and were able to act fast, meaning only a small number of our customers were affected. And by working with our bank we were able to avoid any financial loss for customers."
But the episode still left him around $100,000 out of pocket, which was made up of:
• Approximately $30,000 to rebuild the website. They did a lot of the work themselves, otherwise, it would have cost them a lot more.
• Approximately $30,000 to get the necessary security measures in place so the website would be protected and secure (and meet PCI DSS requirements), such as contracting someone for ongoing penetration testing.
• Lost revenue from being diverted from the work they normally do to grow their business
• Lost revenue from a halt in online sales
There was also un-tallied reputational damage from its site being offline - "as it can be perceived that the business is not robust and reliable".
The business owner's initial DIY efforts to repel the cyber attacker actually seemed to go well.
The malicious code that had been inserted into their website was identified and removed.
But the hackers continued to access the website in a relentless attack.
After a few sleepless nights, it became apparent the attackers were not going away. The owners were forced to delete their website and begin the expensive process of starting again.
But at least this time they did it right.
"It was a heartbreaking decision to make after years of building our online business, but we knew it was the right thing to do to protect our customers," the owner says.
However, after talking further with their bank the business owner learned there were further steps they could have taken to prevent a cyber-attack by meeting Payment Card Industry Data Security Standard (PCI DSS) requirements - a term they had never heard before.
That puts our small business owners in good company.
A recent Colmar Brunton survey of 508 small businesses (around half with fewer than 20 staff and half with fewer than five), found 61 per cent had no knowledge at all about PCI DSS requirements. Only 17 per cent had a reasonable knowledge.
Of those who had an online store, 39 per cent had never heard of PCI DSS compliance. A further 16 per cent had heard of it, but didn't undersand what it was.
Established by an independent global body of major credit card companies in 2006, PCI DSS compliance is an international requirement for any organisation that accepts, transfers or stores customer payment data. It states that website owners are responsible for protecting customers' card information, even when they use a third party payment gateway.
PCI DSS is a list of requirements that, when followed, will put organisations in a strong position to defend themselves against attackers trying to steal customers' credit card details, Ingram says.
For a business owner this means taking the guesswork out of what they need to do, and having specific measures in place and documented to share with service providers, detailing exactly what is needed for security.
A small business owner should talk to their bank to be clear about their PCI DSS obligations, and whether their e-commerce site meets them, Ingram says.
"It's important to know that, as your business grows, so too do your website security requirements," says the owner. "Your web developers and third-party providers are not responsible for your website's security, you are by ensuring you meet PCI DSS requirements."
It may take a bit of effort to protect a business website, Ingram says, but this is a drop in the ocean compared to the time and money it takes to come back from a cyber-attack. Taking precautions now can mitigate security risks and the level of damage caused if a website is breached.
1. Make sure your e-commerce site is PCI DSS compliant
2. Make sure your web developer builds a site that supports secure communication. Look for a website address (URL) that begins with "https" rather than just http - the "s" is for secure. "That gives your customers a little bit of extra protection, because it means that the information being sent between them and your web server is encrypted and can't be viewed by other parties, Cert NZ deputy director Declan Ingram
says.
3. Use, long, unique and complicated passwords for every online service you access. You won't be able to remember them all, but that's where password management software comes in (where you only have to remember one password to access a service that will autofill for all your accounts). Cert NZ doesn't not make recommendations for specific brands, but a recent New York Times round up found 1Password the best.
It said LastPass, Dashlane and Bitwarden were also good options.
4. Keep all of your software up-to-date, with the latest security patches applied. Cert NZ offers an email alert service, giving you heads up when security holes are discovered in popular software.
5. Use "two-factor authentification" for the administrative functions of your website. For example, when not just a password but a code texted to a cellphone is needed to make changes to key settings.
Will this be Simon Dallow's swansong year as the 6pm newsreader?