How to Mitigate Damage from Data Breaches

Many ransomware attacks employ a double-extortion model, where even if a company has made backups of their files that have been encrypted, the hackers can still demand a ransom if they find clear-text payment or sensitive data.
graphical user interface

More than 300 million coronavirus vaccine doses have been administered in the United States, paving the way for a potentially “normal” summer. Airline travel is already coming back: On Easter weekend, the TSA reported more than 1.5 million people passing through airport screenings, the highest number since March 2020.

Many businesses prioritized e-commerce optimization and delivery capabilities during the pandemic, putting in-store experience on the backburner. But now that more people are returning to pre-pandemic behaviors, businesses need to reassess their in-store operations, including payment security.

In the hospitality and food services industries, 90% of breaches happen with point-of-sale (POS) devices. If businesses aren’t ready for the influx of in-store payments that will come with a full reopening, cybercriminals will be. Devaluing data could be the solution to the issue that many businesses face as we return to indoor dining and traveling.

The risks of an outdated payment system

The events of 2020 contributed to an 80% increase in online transactions and a 20% increase in online restaurant orders from 2019. The shift in consumer preferences led businesses to concentrate on e-commerce and delivery functions, shifting their focus from in-store digital transformation initiatives like updating POS terminals.

Many people assume that in-store payments are more secure than those made online, but that’s not always the case. Online businesses typically provide high-security digital payments because their entire business model relies on it, whereas many brick and mortar stores still run on outdated computers and payment systems. Those businesses are even more vulnerable to data breaches as cybercriminals become more sophisticated with their attacks.

In 2019, Checkers restaurant discovered that cybercriminals had installed malware on their POS machines at more than 100 of their locations. The breach affected nearly 1.5 million transactions over a span of three years, costing the restaurant chain hundreds of thousands of dollars in settlement costs.

Companies also need to keep in mind the emerging threat of ransomware. Many ransomware attacks employ a “double extortion” model, where even if a company has made backups of their files that have been encrypted, the hackers can still demand a ransom if they find clear-text payment or sensitive data. If the company doesn’t pay up, the hackers can then threaten to expose this data.

Ensuring that payment systems are secure and up to date to avoid the exorbitant costs and reputational damage that come along with data breaches is crucial, especially as more people return to their pre-pandemic lifestyles.

How to mitigate damage from cyberattacks

All employees should be trained on cybersecurity best practices, from knowing how to spot phishing emails to setting strong passwords and using multi-factor authentication. Also important are frequent backups and offline backups to reinstall files in the event of a ransomware attack.

But the reality is that no matter how much you train your employees or backup your files, human error is inevitable and you can’t prevent every perimeter endpoint from hackers. This is why you need to ensure that your sensitive data is unintelligible in the event of an attack — a practice known as devaluing your data.

The two main strategies for devaluing data are encryption and tokenization. Encryption is typically used to secure data in transit, while either encryption or tokenization can be used to secure data stored in systems. Both tactics make data indecipherable to attackers, so even if they access the data in the case of a malware or ransomware attack, they can’t sell it on the black market or commit fraud. Devaluing payment data is especially important considering 86% of cybercriminals are motivated by financial gain — and unfortunately for businesses, payment information is extremely valuable to attackers.

PCI-validated point-to-point encryption (P2PE) is a particularly effective solution. P2PE uses encryption at the PTS POI device, the moment a customer’s payment information enters your environment. The payment information can’t be decrypted until it’s securely transported to the P2PE solution provider's decryption environment, which resides and is managed outside of your merchant environment.  Using a validated PCI P2PE solution reduces costly, time-consuming PCI-DSS assessments and can help detect tampering — all while keeping your customers’ data secure.

Earn customer loyalty through securing data

While employee cybersecurity training is important, it isn’t enough to keep attackers out — which is why devaluing your data with tokenization or encryption is essential. When consumers make a purchase, whether it be a hotel room or a carryout order, they are putting their trust in your business. It’s your responsibility to keep their payment information safe from cybercriminals, for their benefit and yours.

About the Author

Brent Johnson is CISO of Bluefin.