Dan King, president of VAR New West Technologies, is a retail IT security and mPOS expert whose company consistently achieves double-digit revenue growth. King, speaking at Business Solutions’ 2016 Retail IT VAR Of The Future, said part of New West’s success was working straight retail — no hospitality or grocery — with customers ranging from one to 150 stores.
Working this particular market has forced New West to “batten down the hatches,” according to King. “We take security pretty seriously, not just where it relates to payments, but the entire network, databases — everything.”
This approach doesn’t always deliver traditional ROI, but it does something almost as valuable: It builds relationships. “As we come across new ways to help people be more secure, we take on the role of consultant,” King said. “In some cases we were able to monetize it; in others it’s a way to ensure our company’s reputation does not get tarnished.”
New West also offers threat assessments in which various tools are used to conduct scans, both inside and out. Some clients opt for network monitoring services as well. “Because many threats come from inside the firewall, we try and get our customers to leverage password management software,” King says. “Many times you can protect the company from the employees even being able to share their passwords.”
An additional finding of the aforementioned Business Solutions’ EMV and payment security survey was that the majority of resellers feel, if a breach were going to occur, it would be internal. King agreed, adding, “A lot of times it’s not even a malicious act; it’s just people being people. More than once we’ve dealt with breaches caused by an employee simply clicking on something they’re not supposed to.
“With malware and CryptoLocker, it’s easy to be fooled. We’ve seen employees accidentally click on something, and all of a sudden the drives are encrypted and they’re being ransomed. We try to educate people as best we can, and I liken it to trying to sell backup systems in the past. Unless somebody’s lost some data, they don’t take it very seriously.Fortunately, there is more good information out there, and merchants are taking security more seriously.”
Don’t Get Phished In
According to network security vendor Webroot, almost every bit of malware now is polymorphic, changing as it hits the network. You can have software to help solve these phishing problems, but merchants still need to be educated as to the seriousness of these threats. “We’re trying to have those conversations, but how seriously merchants take it is another story,” King said. “We give them our horror stories and hopefully they resonate.”
One horror story King cited was the time one of his merchants inadvertently opened malware. “The virus took hold of the system, and the victims didn’t take any action other than freak out and keep clicking the link. Before you know it, the entire network — about 15 machines total — was breached.
“There are simple strategies to employ if you think a machine’s being compromised. The first thing you need to do is unplug it and the network before you click on anything. Attacks are getting more sophisticated and creative in the ways they get people to click on things. Everybody has received an email from somebody they know that appears fairly innocuous, but it’s really not from that person.”
Your Reputation Is On The Line
King noted that good relationships are hard to develop, and failure to adequately protect a client — or educate them on how to protect themselves — can cause irreparable damage. “A good reputation is hard to build and easy to lose,” King said. “We want to make sure our customers are taking care of their customers’ data appropriately. I tell our merchants if they’re not taking it seriously, they’re being irresponsible with their customers’ data. Sometimes that doesn’t go over well, but it’s the truth, and everybody needs to hear it. If we don’t say these things, if we don’t broach those topics, we’re not really doing our job.”
To better protect merchants, and by extension safeguard your reputation, King said you need to make sure merchants are paying attention. “There are many merchants using unencrypted swipes. Very often, they source consumer-class equipment at Best Buy or wherever in hopes of saving a buck on professional services. They don’t pay attention to the internal software firewalls or the antivirus systems.”
In addition to trying to save money, merchants are guilty of thinking they’re too small to be targeted. “You can’t beat the customer down, but when they say, ‘I don’t care, I don’t care, I don’t care,’ what are you going to do? That’s a hard line to draw, and it’s even harder to draw when you add your salespeople to the mix. Those guys, they don’t want to pass up their opportunity to make the sale, even if the client’s not listening.”
New West has policies to help diffuse that situation. “If we’re making serious recommendations, we have the customer sign off acknowledging what we think should be done. They can choose not to listen, but if they’re telling us they don’t want to participate, it’s not our fault if anything goes wrong. About half the time they say, ‘Oh, wow. You guys are serious about this.’ We’ve seen that approach have a positive effect on people’s motivation to take security seriously.”
Why Payment Security Deserves Your Time And Energy
King views payment security as a holistic system facing a rising threat ratio. “You build a wall and criminals get a taller ladder. You build it higher and they get hooks. It’s a constant battle, and there’s no way to stop all of it. Ultimately, we make our living off people operating brick-and-mortar stores. Most have an online presence, but they are competing with the Amazons of the world. If merchants don’t take security seriously, vendors aren’t educating them, and breaches continue to happen, I think consumers are going to lose trust. That would be a hard thing for a store to go through.”