The threat of hackers and cyber-criminals is very real, for large companies and small businesses alike. That means that business owners must accept that a strong cyber-defense system is a must in the modern business world. The good news is that there are lots of security firms out there willing to help.
“Don’t waste one second considering hosting your own software on a server that you own,” says Kevin Stecko, founder of 15-year-old online apparel shop 80sTees.com. He should know: in 2012, Stecko was head down, focusing on selling vintage t-shirts, when he discovered he’d been the victim of a cyber breach. Several of his customers discovered that their credit cards had been hijacked, and their respective credit card companies’ pegged their transactions with Stecko’s company as the connecting link. “We were not prepared at all for it and we didn’t know what the heck we were doing,” says Stecko. “I called my lawyer, I called some security consulting firms, I called the banks and asked them for help—no one gave me any good information.”
Kevin Stecko's online apparel company got hacked. The Secret Service came to the rescue and Stecko... [+]
It was the Secret Service, oddly enough, that came to the rescue. Having been notified by the affected banks of the security breach, the organization contacted Stecko and began an investigation, discovering that, most likely, 80sTees servers had been breached by hackers using the compromised computer systems of senior citizens.
Following the breach, Stecko hired credit card processor Cybersource ($500 a month), order management platform Order Motion and ecommerce platform Shopify ($1,000 per month), to handle his operations, making it unnecessary for 80sTees to store any credit card data at all. All firms abide by the security guidelines set by the Payment Card Industry, (in other words, they’re PCI compliant). Altogether, security costs Stecko about $7,000 per month--less, Stecko says, than if he was doing it all with his own organization. “These are companies that process billions of dollars of transactions, and therefore have the capability to hire much smarter people who are focused on security,” says Stecko, who also implemented two-step authentication at his company.
Used gift card marketplace, CardCash, is also a fan of outsourcing the defense of its sensitive data, says CEO Elliot Bohm. “When it comes to credit card data, it’s best just to outsource it to a company that does it well. You just have to focus on your business and not on other things which could be a distraction and could just cost you a lot of money and you’ll never be able to do a good job at it anyway.”
Marc Ackerman and Elliot Bohm (l-r), of CardCash, use a combination of third party payment... [+]
Digital gift cards generated $95 million in revenue for CardCash last year, and details of its system of third-party fraud detection software and internal protocols are well-kept company secrets. But Bohm stresses that human oversight is essential to any security protocol. “Never have too much faith in your technology: I’ve seen many companies – especially startups – start with a service or develop certain technology and once they have their engineering teams saying ‘it works!’ they close their eyes and have full faith in it. Before they know it, it doesn’t work out the way they’d anticipated.”
Even those entrepreneurs who start from a place of security savvy can sometimes find themselves the victim of hackers. As CEO of the New Jersey-based Berkeley Varitronics Systems, Scott Schober makes a living selling tools that secure connections between wireless devices, largely to government agencies within the U.S. Department of Defense, the FBI, CIA, the Secret Service and even the White House.
In 2013, Schober discovered that his company’s credit and debit cards had been hacked, followed by its Twitter account and, in early 2014, its checking account. “I came in on a Monday morning and checked online and there was about $65,000 taken out. That got me very concerned.” A subsequent investigation suggested that hackers had breached his bank and mimicked a teller to fraudulently wire funds out of his account into another account. Evidence also showed that Schober’s HQ had been the victim of dumpster-divers, who pieced together a shredded credit card.
Scott Schober works in the security industry. After he got hacked, he spent some $50,000 to make... [+]
Since the breach, Schober has spent almost $50,000 to protect Berkeley Varitronics, which enjoys annual sales of just over $5 million. His company uses Shopify to handle its ecommerce, has installed cameras in and outside of its offices, and educates employees about outside threats, how to be vigilant and what to do if they smell something fishy. Wireless access also tends to be a breach point for many businesses, as hackers can sit nearby a company’s routers and, sometimes, manipulate company employees to give them network access codes over the phone by pretending to be employees that simply forgot their passwords. Says Schober: “Whether this a two-person business or a 40, 50 or 100-person small company or even larger, having trained personnel that are security-conscious is extremely important.”
Schober also hires a third-party security firm to conduct penetration tests—essentially attempting to hack into his system to kick the tires of his defenses. Says Schober: “Testing everything – from A to Z – to find out where your weaknesses and vulnerabilities are, I think, is worth paying a couple thousand dollars, for any small business, to have done at least once a year.”
At SeatGeek, a New York-based online and mobile aggregator of event ticket sales that processes thousands of transactions a month, an internal team does its best to breach its system a couple of times a year to make sure defenses are up to snuff. Whomever finds a chink in the SeatGeek armor receives a gift card, says cofounder Jack Groetzinger. “In the end it’s for the pride of having found a weakness and fixed it.” As part of its daily operations, SeatGeek looks to Spreedly to store user credit card information and to Matasano to perform security audits.
At JAMF Software in Minneapolis, the company kicks its own tires every time it releases new products to a customer—about every six weeks. Tight security is imperative and almost 20% of the company’s R&D expenditures go toward security. As an enterprise solutions provider, any compromised software JAMF ships could harm any number of its 4,300 plus clients’ fleet of devices (we’re talking about clients like Salesforce, Pixar and Axel Springer). “Every product release goes through the automated internal penetration testing,” says JAMF information security lead, Jason Van Zanten. “Then, periodically, we engage with third-party consultants to go through a more thorough code-assisted penetration testing. JAMF also tests the security of its software against mock third-party hackers even before launching new software.
But hiring security services firms doesn’t let the average entrepreneur off the hook. Just because the work of defending a company’s sensitive data can be outsourced to a third party, doesn’t mean the buck also gets past when hackers break through. SeatGeek VP of engineering, Adam Cohen, says, “every company is ultimately responsible for the security of its products, but the more that you can use reliable third-party systems, the fewer vulnerabilities you have to worry about and – perhaps more importantly – the lower the potential damage that would be caused by an attack.”
