Over the last couple of years, large breaches of major retailers such as Target, Home Depot, and Neiman Marcus have made it clear that the retail and hospitality industries are prime targets for cyber attacks. The reason is simple: A vast amount of personally identifiable information (PII) passes through and may be collected by these enterprises’ networks.

In 1950, when Slick Willie Sutton was asked why he robbed banks, he quipped, “I rob banks because that is where the money is.”  In a similar vein, cyber thieves go where the PII is.

Though the large breaches get the press, it is not just big name brands that are under assault.  The vast majority of organizations falling prey to cyber thieves are small to medium-sized businesses (SMBs).  The Payment Card Industry (PCI) Security Standards Council reports that over 80% of all breaches occur with small merchants.  According to one security firm, a whopping 69% of cyber attacks target restaurants and retailers.

Some of the reasons cited for the heightened risk of attack on SMBs are their scarcity of resources and reliance on third-party providers.  These smaller organizations are typically a softer target than the large retailers, yet they own a tremendous amount of PII.

One area where retail and hospitality firms have heightened vulnerability is the point of sale (POS) terminal and the communication and data storage surrounding it.  When a credit card is swiped, there is a complex web of interactions with third-party payment processors, issuing banks, and merchant banks to authorize the transaction.  This all occurs amazingly quickly, in most cases in just a second or two.

The Payment Card Industry (PCI) has created a Data Security Standard (DSS) for entities that process credit cards from the major players (including VisaMasterCardAmerican Express, and Discover).  PCI DSS is rigorous and often difficult for businesses to comply with completely, and when there is a breach that can be traced back to a business using bank or credit cards to receive payment from customers, that business has the burden of proving to the PCI that it is innocent.

Satisfying PCI DSS is particularly important for retail and hospitality companies, as , according to the Federal Reserve .

The good news is that since malicious parties are looking for the easiest targets, an incremental increase in security results in a disproportionately greater decrease in the likelihood of an attack.  In most cases, a merchant needs only to be slightly more secure than their peers to be passed over by attackers .

So what should every business be doing in the area of cyber security?  We have talked extensively in the past about security measures.  We will recap some of the most important:

Strong Passwords – A strong password is one that has never been used before, by anyone.  This is a very difficult task, and let’s face it, no one likes to remember the myriad of passwords in today’s online environment.  However, consider for a moment that your enemy, a malicious attacker, can use tools that guess over one billion passwords per second.  One IT professional suggested nursery rhymes to develop hard-to-crack passwords.  By using the first letter of each word of a nursery rhyme (include capital letters), exchanging one letter for a symbol and another letter for a number, an easy to remember password that is very difficult to crack can be created.

For instance, take the first line to “Mary Had a Little Lamb”. By substituting “$” for an “s” and “5” for “a” the resulting password becomes “Mh5llllllMh5llifww5$”.  This is simple to remember, yet very difficult to compromise.

Encryption – Lost or stolen laptops/devices are the most frequent cause of data breaches, but the danger of data falling into the wrong hands can be easily and inexpensively mitigated with encryption.  Nearly all state breach laws include provisions that encrypted data be treated similar to a paper document that has been shredded, thus eliminating some or all of the regulatory notification requirements.

Patching – Keeping software updated with the latest patches is critical.  Many fixes pushed out by vendors specifically rectify a known vulnerability in the software.  Malicious individuals constantly watch for networks that are delinquent in patching to exploit.

Email Safety – There is a saying that goes, “Teach a man to fish and he eats for a day.  Teach a man to ‘phish’ and he eats an expensive steak dinner with his buddies tonight.”  A high percentage of attacks originate from phishing, in which a reputable-looking email is sent to victims, in hopes they will click a link or button that appears to be legitimate.  Doing so will install malicious code on the unsuspecting users’ machines, and from there the cyber criminals can wreak havoc.

It is suspected that phishing was the method used in the recent attack on health insurance giant Anthem, in which a staggering 80 million records were compromised .  Although difficult to stop, advising employees never to click on links, download files, or open attachments in emails from unknown senders is a good start.  It is also best to open an attachment only when it is from both a known sender and when it is expected.

Whatever precautions a business takes, though, IT professionals admit no system can be 100% safe.  The unavoidable, incremental risk is addressed by cyber insurance policies which are tailored to address cyber exposures.  These policies are readily available and currently are surprisingly inexpensive.  Every insurance or risk management discussion should include the potential for a cyber loss and ways to mitigate and transfer the risk.