Don't be an Accomplice After the Fact:

NATIONAL: As we live in a society where ID theft, Credit Card scams and thievery occur on a daily basis, merchants are the first line of defense in securing a nation of consumers. Unfortunately some merchants take shortcuts and cheap fixes to save money. These shortcuts place consumers data at risk. Unfortunately the lax security of some allow criminals access.

The employers are as guilty as the criminals in their complacently and professional indifference to security due to ignorance or greed. The hackers or criminals get the full brunet of blame, which is understandable, until the lax safeguards are exposed.

Small businesses and family businesses knowledgeable about may specialize in a certain product but not be able to analyze risk and understand risk.

Someone may be making the best pizza, for example a family pizza place, but if that same family restaurant is tossing out their bank statements unshrouded, or repeating credit card numbers back over a phone where people can hear across a counter, things can happen. the fact of the matter is, with the economy the way it is more small businesses will open, from UBER to Lyft to independent contractors we need to be cyber smart.

The Federal Bureau of Investigations has listed the crime of identity theft as a national security concern. What should should be done at the merchant level to ensure that they are a defender of customer service data as merchants are the first line of defense in the war against identity theft, some important issues are listed herein.

The Bureau states that “A stolen identity is a powerful cloak of anonymity for criminals and terrorists and a danger to national security and private citizens alike. For the FBI, identity theft is nothing new—we've been dealing with criminals faking IDs for decades, from check forgers to fugitives on the run. But the threat is more pervasive and the scams more sophisticated than ever, including online elements. The FBI uses both its criminal and cyber resources—along with its intelligence capabilities—to identify and stop crime groups in their early stages.”

Physical and Virtual Barriers

As a company grows a strong effort should be made to secure the workplace and require all individuals to pass through a central access point, and have their identity and business known by a trusted company representative, like a security guard, or receptionist.

The premeditator of the building may be covered by video cameras, but video cameras serve as a passive manner of security to document after the fact.

All premediate doors should be locked at all times and a pass key system should be established, where as a badge is needed to access a sensitive area of the building. The use of a badge is easy to deactivate once a visitor leaves or an employee is terminated. Simply printing a 8 x 11 sign stating “ all visitors must report to the front door is not sufficient security in a world where individuals with a confident smile, wave and a clipboard can get into any building on Earth.

Anyone who has studied cybersecurity and PCI compliance, it is good to remember that basic cyber security guidelines and P.C.I. Compliance guidance and in concert to keep consumers safe.

Some basic workplace security measures that should be deployed:

A. All employees dealing with customer sensitive and personally identifiable information (P.I.I.) should be trained in cybersecurity, anti-fraud. It is not enough to have one person whom has access to the processing gateway to be trained. In many cases, especially when new employees are hired, it is likely that training is rushed and poorly presented by an individual whom is not a certified trainer. personally

B. When customers call in, under absolutely no circumstances should credit card numbers be written down on paper. Nor should any customer information be placed in a standard garbage can. It is amazing that some employers in call center environments have separate trash cans for “Food Only” but no burn or shred boxes to shred all customer information that may be printed or written down.

1. Customers should be forced politely to confirm their address or qualifier. Customer Service Agents should not volunteer any information. The incorrect statement would be “You still live at 123 Main Street, in Amherst, right?” This is obviously an example. The correct way to do this is “ To protect your account, can you please verify your address, please?”

Internal Controls

Once a visitor enters a building their access to critical operational areas of the property should be controlled. The use of tensabarriors, a portable barrier to indicate areas that are off limits, restricting access to floors that do not pertain to general public should be deployed and doors to internet commerce areas and channel sales should be locked.

All appointments should be made in advance and confirmed, any deviation in person who visits verses who made the appointment should be recorded and logged for future use. If patterns begin to form, it may be worth review.

Employee supervision is not enough. Once employees enter a workplace that contains consumer information, they should be required to lock their eprsonal belongings in a locker for the duration of their shift, and do not bring jackets, coats or portable media and cellular phones into the work area. Computer screens can be photographed and emailed with ease and thumb drives containing malicious programs can damage mission critical equipment.

USB drives can be deployed from doing everything from hacking a safe, according to an article by J.Kirk on PCWorld, to converting a drive and hijack internet traffic, as per another article by theconversation.com

IT Problems and Trends

Your CRM or Customer Relationship Management software runs, on your computers, including credit card processing, so when the pc slows down, or completely shuts down, reboots, it may be a good idea to take it seriously. This is because the calls will still continue, and force the pc operator to write down credit card numbers while the pc reboots. Not a great idea. It is important to keep track of these tickers or pc issues, to determine if there is a trend, if it is time to upgrade software. If there is a problem with your Microsoft group policies or Microsoft Active Directory, then that is a serious problem, involving the administrative rights and security settings in the register or server on the network. If PC issues are not being repaired, and security issues are not being addressed, it may be a good idea to reassess the decision to have some twenty-something manage your IT. Reason being a customer service representative is only as good and only as safe with customer data as his or her tools allow them to be.

Users should lock their screens before leaving their cubicles.

Supervisors should receive basic security training, otherwise all they are doing is watching events unfold, forming their own opinions based on bad information and being blissfully unaware of possible cyber issues

Losses from Logistics

Once a sales is made the product actually has to get to the customer and this is an interesting area to study called supply chain management. Orders electronically go to the wearhouse where differently skilled workers work off of manafests and pick and pack the products, load trucks. Occasionally, sometimes more than should be allowed, shipping labels “fall off” packages, Fedex or UPS or USPS labels get destroyed so products can not be found, or traced. The adhesive on a Fedex label is very strong and it takes a lot of sharpt marker to obliterate a tracer, but if a package label gets damaged or “falls off” then each and every occurance should be tracked, managed and trends should be investigated. Any missing shipments should be followed through with the appropriate carrier, or freight company. If an insurance claim is filed, it would be best to make absolutely sure the product is missing, as insurance fraud is a serious matter.

Employee Theft

If the shipments are going missing because of employees stealing your stock and blaming logistics companies, it should be investigated and those involved should be prosecuted. The cost of no-cost orders to make good shipments that were not received by customers are only part of the cost involved. There are costs to your brand in reference to the value of the brand in the eyes of the customer and stakeholder.

Companies, especially ones that are growing need to take great pause and understand that their security policy needs to include, PCI Compliance, Cyber Security and Physical Asset security, to prevent loss.

Brian Scott Luke, holds a Masters in Business Administration, Finance and Accounting, B.S. in Communications and Business from Buffalo State and is a Certified Risk Management Consultant. Mr. Luke has been reporting on Cyber Security for approximately five years and has worked for corporate and utility help desks throughout Western New York.