June 23, 2017
Information Security for the Firearms Retailer — Yes, It Matters
I know, I know, internet security is just one more item in a long list of things a small business owner must pay attention to. Unfortunately, and as I’m sure you all know, your cyber-security will continue to require your focus, with no end in sight, in today’s world, so we do need to talk about this topic.
Now, I know someone out there is going to say, “Information security? That doesn’t have anything to do with me!” To those people I’d respond, “You bet your sweet data it does!” So, let’s talk about why this is important to every firearms retailer. In doing so, I think it’s vitally important to begin by establishing a strong foundation and then start to layer on the minutiae that can consume all of us when it comes to this topic. But I’ll also provide translation of this minutia down to what I like to call “you-and-I language” that will cut out all of the “Check out the big brain on John” speak and gets right down to the meat and potatoes of it. Here we go!
You’re Replacing the “Big Guys” When it Comes to Cyber-Attacks
The fact of the matter is that up until the last few years or so, small businesses weren’t really even on the radar of hackers and cyber-criminals. Quite frankly, they were going after the big players, which has been much more lucrative for them. Nowadays, though, the once more lucrative targets and their sizable wallets have been able to mitigate much of this problem, and this has caused the “evil empire” of hackers to look for new targets. Enter the small business.
As of the close of 2016, approximately 43 percent of cyber-attacks targeted small businesses, a staggering increase year over year of more than 40 percent. Taking into account that, according to the Small Business Administration (SBA), there are 28 million small businesses in America, accounting for 54 percent of all U.S. sales, that creates a very nice “site picture” for the cyber-criminal.
Now let’s scare you a bit: The SBA also reported that only 14 percent of small businesses rate their ability to mitigate cyber-risks, vulnerabilities and attacks as “highly effective.” Fourteen percent! Of even greater concern, 60 percent of small companies are forced to go out of business within six months of a cyber-attack due to the associated financial implications.
I don’t know that any of those numbers have caused you any great concern, but what I do hope is that now that you’ve seen these stats, they’ve at least caused you to think about what information or data within your environment as a firearms retailer is or may be of interest to those looking to exploit your vulnerabilities.
More Valuable Than Your Firearms Inventory
It’s important to keep in mind that as an FFL you have quite a bit of very desirable and valuable information for which you’re responsible for its safe keeping. The personal information associated with a firearms transaction alone offers an evil-doer an extensive amount of information that is, for all intents and purposes, the currency of the criminal underground. And that’s really just the tip of the iceberg. As a business, you have the ultimate responsibility of protecting whatever information your customers have entrusted to you — and this is, ultimately, the “why” that deserves your interest and focus.
Cyber-criminals who are able to obtain personal information can sell it to identity thieves, spammers, botnet operators and organized crime rings, who then use the information to make more money. The value of your data to them is dependent on what information they can exploit. How do you know whether your in-house data is of interest to them and at what level? Let’s look at something we can all easily relate to and have equal amount of animosity for — spam — and a hypothetical case study.
Let’s say a spammer obtains a list of, say, 10,000 emails from an evil doer for, let’s say, $100. That breaks down to $0.10 per email address. With that list, the spammer can now solicit, via email, every address on it. Now, if the spammer is promoting a specific product for which he receives a commission for of $10 for every unit, even if only a few people out of that list of 10,000 buy the product, it’s a profit for him — and all his “effort” included was paying for the email addresses, creating a tempting sales pitch, accessing a mass emailing software solution to send it and patiently waiting for payday.
I deliberately kept the numbers very simple in this example, but I promise you, no spammer ever sticks to just 10,000 email addresses. They are looking for and buying lists that contain hundreds of thousands of email address files. But you didn’t think that they were spamming you just to be annoying, did you? Spam is also the vehicle for phishing schemes, which is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords, credit card numbers, etc.
All of this being said, there’s one significant component of all of this we haven’t discussed, and that is your customer. Data breaches have a lasting impact on customer loyalty, and based on industry studies more than 60 percent of consumers surveyed indicated they would likely end their relationship with a business after their personal information had been exposed. In addition, the majority of those surveyed also advised that they would at least consider taking legal action against an organization involved in the exposure of personal information. Using the percentages provided, along with the fact that the average cost of recovery from a data breach for a small to midsized business has been estimated to be anywhere from $36,000 to $50,000, you can easily see how a breach can impact your business, as well as determine the probability of recovery.
Spam is only one area of concern and certainly not the most serious of all of the areas in which we’ll be discussing in subsequent articles, but it’s certainly one pathway that can open the door to much more lucrative opportunities. Indeed, information or cyber-security is a very broad topic, and we’re going to walk you through all of the areas of concern that can be relevant to small and midsize businesses in this series of articles so that you may be better equipped to protect your business, your customers, your employees and yourself.
In the next article, I’ll discuss establishing best practices and policies that will set the stage for protecting sensitive information you’re responsible for. Until then, please send us your questions and comments and we’ll be sure to incorporate them into future articles. In the event you have a concern regarding the security of your business and are in need of immediate support, feel free to contact John McNamara, email@example.com, and he will help to coordinate NSSF resources to support your needs.
John Clark is a firearms industry consultant and a member of the NSSF’s Security and Compliance Consultant Teams. He is also the principal partner and founder of PCI Services, LLC, a consultancy firm that provides small to mid-size businesses with sustainable solutions that positively affect growth and protect interests. John has served as an executive in a variety of public and private domestic and international businesses, where his responsibilities have included implementing risk and loss mitigation strategies, governmental compliance initiatives, business assessment and control functions and the implementation of corporate governance practices. Visit www.pciservices.us or email firstname.lastname@example.org for more information.