Loss Control Insights for
Preventing Data Breach and Cyberattacks: Tips for Petroleum Marketers
If cybersecurity and cyberattacks have been on your mind a lot recently, it's no wonder—attacks by hackers, unprecedented in scale, have been making big headlines as they shut down popular websites and steal passwords and credit card numbers by the millions. You may think you’re not a target for such attacks because you aren’t a huge multi-billion dollar corporation, but it turns out that cyber criminals are increasingly taking aim at small- to medium-sized businesses. These smaller organizations are usually less sophisticated when it comes to information security, making them vulnerable (and lucrative) targets.
Want to shore up your security and make your organization less attractive to bad actors online? These tips are a good place to start.
Know What’s at Risk
Depending on your operations, you probably store a variety of information that could be considered valuable to cyberattackers.
- Customer information used for billing or credit checks
- Payment information from POS systems or your merchant/bank interface
- Fleet card information
- Employee information used for payroll or hiring
If this information is exposed, it could cost you a lot. Besides the monetary impact of required customer notifications or mandated credit monitoring, data breaches and cyber events can also temporarily shut down your business and damage your long-term reputation and relationships with customers.
Common Cyber Threats
Skimming - If you have point-of-sale (POS) systems, skimming should be on your radar. A skimmer steals payment card information from your POS or an ATM. This can be done by hacking the POS software or by physically attaching a device to a card reader or PIN entry keypad. For more one this, read Preventing Card Fraud at the Pump.
Malware and Ransomware - Malware is any kind of hostile or intrusive software. The term includes viruses, spyware and other malicious programs. Ransomware is a specific kind of malware that takes control of your computer or network, holding your data hostage until you pay a ransom. Read more in Don’t Fall Victim to Ransomware.
Phishing - This is a technique for delivering malware or acquiring personal information. The phishing victim receives a legitimate looking email or text message that contains a link or attachment. Clicking the link or opening the attachment may direct the victim to a fake but realistic-looking website asking for personal information, or it may immediately install malware on the victim’s system.
Denial of Service Attack - This attack seeks to make your network or website unavailable to users by bombarding your resources with so many simultaneous requests that your system is overwhelmed and can no longer process legitimate traffic. This may simply disrupt your business, or a hacker may take advantage of the confusion and breach your system through another point without being noticed.
Fortify Your Defenses Against Cyberattacks
Use effective passwords and change them regularly. Always change the default password on any device or software you install. Create separate user accounts for each employee and require password protection for their devices. Strong passwords are at least eight characters with a combination of upper and lower case letters, numbers and symbols. Do not post passwords anywhere or share with anyone, and don’t use the same password for all of your accounts.
Secure your wireless networks. Upgrade from the default WEP encryption standard to the much stronger WPA2 standard and enable MAC address filtering. Don't use default passwords to protect access to your router. Hide your network name from drive-by hackers by disabling Service Set Identifier (SSID) broadcasting.
Install and maintain antivirus programs. Set your antivirus software to update automatically so you’re always protected against new threats. Implementing content filters can help prevent employees from intentionally or unintentionally accessing websites that are most likely to contain internet threats, such as malware and viruses.
Install and use a firewall. A firewall is a program that prevents outsiders from accessing data on your private network. Use both software and hardware firewalls. You may also want to use firewalls or similar restriction technologies to segment your networks, keeping a compromised device on one network (for example, a workstation at a C-store) from having access to all the other devices in your networks (like those in your company headquarters). If you have multiple stores in your operation, it's good practice to keep them separated from each other on the network.
Do not open email or attachments from unknown sources. Be suspicious of unexpected emails containing attachments from unfamiliar sources, especially if they are not work-related, have unusual subject lines or contain web links. Cyber thieves can use attachments to install viruses or other malware on your computer.
Control access to computer equipment. Log off or apply a screen lock before leaving your computer and use password-protected screensavers. Protect mobile phones with a passcode and install security apps to prevent information theft when on public networks. Lock up laptops when not in use.
Create backups. Back up data automatically if possible, or at least weekly. Store backups off-site or in the cloud and test periodically to make sure the files will be accessible if you actually need them.
Keep software updated and patched. Software is constantly being updated to fix newly-discovered security flaws. These changes are released to you in the form of software updates or patches. To make sure you're operating with as few vulnerabilities as possible, you should regularly update all software, including operating systems and browsers. Enable automatic updates if you can, and restart computers after patches are installed.
Train employees on computer security policies. Establish basic security practices and policies, including an internet-use policy and possible disciplinary action for violations. Establish handling procedures that protect customer information and other vital data. Most retail locations have a back-office computer somewhere that contains sensitive information and has access to your POS components. To help prevent a breach, this computer should only be used for work-related activities (that means employees shouldn't be using it for Facebook or personal email during break time).
Protect payment card information. Work with your bank or processor to ensure antifraud services are being used. Separate your payment systems from other, less secure programs, and don’t use the same computer to process payments and surf the internet.
Get technical expertise and outside help when needed. If you don't have technical IT staff, you may want to consider working with a third party service provider with experience in remote access management and network design for retailers. IT experts can conduct penetration testing (to find vulnerable points of entry into your systems), review your internal controls and help you analyze your processes and data to eliminate possible vulnerabilities that aren't necessary. When considering outside assistance, it's important to make sure the company is on the up-and-up. Ask for a client list or references, and find out how long the company has been in business.
Plan for a breach. Designate an incident response team who will act in the event of a data breach or cyberattack. This team should include legal counsel, senior management, any information security staff or contractors, and the person who handles your PCI compliance (if you accept payment cards). Conduct table top exercises (practice sessions) periodically where you create a cyberattack or breach scenario, then walk through the organizational response step-by-step, looking for gaps in your plan.
Consider insurance options to protect your organization financially. Cyber events are usually not covered by your Commercial General Liability policy, so if you want coverage for expenses such as customer notification and systems restoration you'll need a special policy or add-on endorsement. Talk to your insurance agent about coverage details and determining a realistic estimate of your liability exposure. EMC Insurance offers a product called CyberSolutions, which combines cyber liability and data compromise coverage.