The Verizon Data Breach Investigations Report (available here) was basically another year of "all your POS are belong to us."
Which is depressing, but not at all surprising. As you know, I talk a lot about what I call the Security Poverty Line, and how smaller organizations that are IT-poor tend also to be security-poor.
Moreover, because security and IT are so often separate, security becomes optional, a luxury and an omission for the small business that doesn't know it has something to lose -- or even if it does, it hasn't got the faintest idea of how to go about addressing it.
Enter the DBIR, and what I think is one of the most helpful steps ever taken to address this security-poor population. On page 62, the redoubtable Verizon Risk Team has created a cutout sheet that you can hand out to your favorite retail, hospitality and food establishments.
"Greetings. You were given this card because someone likes your establishment. They wanted to help protect your business as well as their payment and personal information. It may be easy to think “that’ll never happen to me” when it comes to hackers stealing your information. But you might be surprised to know that most attacks are directed against small companies and most can be prevented with a few small and relatively easy steps."
And the cutout doesn't get too fancy or preachy; it basically recommends two main things: change your default passwords, and make sure you have a firewall. And if you're not the one who is in charge of these things, make sure your vendor does them.
The beautiful simplicity of this is hard to overstate. The cutout doesn't invoke FUD; it just says, "Hey, we've seen a lot of this and you might want to be careful."
The language makes it accessible to someone who is busy running a business, and who doesn't have time to delve into arcane IT concepts. It tells them the most important things they need to do, and puts it in a digestible format.
I hope people will go to the trouble of making copies of this cutout and giving them to as many franchises and local businesses as possible. It would also help to have a simple and cheap answer to the question, "How do I find out more about this?" if the business owner should ask.
I know of at least one security professional who makes a point of going to speak about security at chamber of commerce meetings, and we need more of this kind of outreach.
For the security-poor organizations, the best thing we can start with is to arm them with information -- the kind of information that is useful to them. If we made a concerted effort to reach out to this underserved population, I'm hoping the DBIR numbers would get smaller over time.
Cross-posted from Idoneous Security