Business.com

Business.com

How to Accept Credit Card Payments: A Beginner's Guide

Posted: 04 Oct 2019 11:30 AM PDT

Credit and debit cards are a common payment method favored by many customers. It has become an expectation that your business will accept cards, a standard you are all too familiar with if you must repeatedly explain to customers that your business accepts cash only. Luckily, accepting credit and debit cards is as easy as partnering with a credit card processing company.

This guide will walk you through the ins and outs of the credit card processing industry, and highlight the important factors you need to look for when choosing a card processor. It will also cover the different credit card processing platforms, from point-of-sale systems to mobile devices.

How do you accept credit card payments for your small business?

Accepting credit and debit cards begins with selecting a processor. To choose the one that is best for your business, it's important to understand the different types of companies that are out there. In addition, you should always look for a credit card processor that offers low rates, few or no fees and month-to-month contracts.

Unfortunately, the credit card processing industry is a crowded field that can often be confusing to navigate. With varying pricing models, complicated fee structures and different types of processors for different platforms, it can be a gargantuan task to find the right partner for your business. Breaking the process down into several steps can help simplify your decision-making:

  1. Determine the type of processor you need. Choosing the type of credit card processor you want to work with is based on two main factors: whether you want to partner with a service for individuals or businesses, and your average monthly volume of credit and debit card payments.
  • If you're an individual accepting payment from a handful of trusted sources, using a peer-to-peer application like Venmo is suitable.
  • If you want a payment processor less susceptible to transaction disputes, a payment facilitator like Square or PayPal is a good option. Square and other payment facilitators work well for small businesses with a low monthly volume and small sales tickets.
  • Businesses with a higher volume and larger sales tickets should consider an independent sales organization or merchant service provider like Helcim or Flagship Merchant Services. For a more detailed breakdown of the different types of credit card processors on the market, visit our credit card processing best picks page.
  1. Consider how you will accept credit cards. When you begin accepting credit cards, it's generally because your customers prefer using them. So, it's important to consider how your customers use their cards. If the vast majority come into your physical location and swipe their card, then perhaps that's the only method you need to accept. However, you might also want to accept credit cards online, over the phone, on a mobile device or across multiple channels. Determining the methods of payment you will accept can help you better understand what type of credit card processing equipment you need.

  2. Examine pricing models and fee structures. Pricing models and fee structures vary greatly from company to company, so this is one of the more arduous parts of the buying journey. There are multiple pricing models available which determine the rates you will pay on certain transaction types. Most processors charge between 2% and 4% of the transaction value, plus a small transaction fee based on your monthly processing volume, average ticket size, your industry, and your processing history. In addition, there are often several fees processors charge. For a breakdown of the most common pricing models and fees, visit our credit card processing best picks page.

  3. Compare quotes. By using the criteria above, narrow your list of candidates down to about three to five. Call each of these credit card processors and request a quote. Sometimes, a credit card processor's rates are negotiable, so don't be afraid to haggle – especially if you've already received estimates from other companies. After comparing quotes, request a contract from one or two companies that offer the most competitive rates.

  4. Review contracts. As always, review these contracts very carefully. If possible, have legal counsel look at the contract as well to ensure everything is above board. Consider whether the contract includes automatic renewal clauses, early termination fees and other binding clauses. Once you are satisfied that the contract is fair, sign with the company you believe is the best fit for your business.

Once you've completed these steps and decided which credit card processor you'd like to partner with, you are ready to apply. Generally, applications can be submitted online and take two days for the processor to review. Once your application is reviewed, the processor will set up your account and walk you through the process of selecting any hardware you might need. Once the hardware arrives, the processor will help you set it up and test it.

Editor's note: Looking for the right credit card processor for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.

 

How do I accept credit cards on my phone?

To accept credit card payments on your phone or another mobile device, you will need a mobile credit card reader. Many of these readers plug into the headphone jack of the device. More advanced mobile credit card readers connect to your mobile devices via Bluetooth.

When you sign up with a credit card processor, most companies give you a free credit card swiper. However, it is beneficial to purchase one that also accepts EMV chip cards. EMV chips allow you to skip signature authentication, and they speed up the payment process. You should also select a reader that is NFC enabled for accepting contactless payments. NFC capability allows you to accept payments from contactless cards and mobile wallets, such as Google Pay or Apple Pay. You can expect to pay less than $100 for this type of mobile credit card reader.

Using a mobile credit card reader doesn't limit you to accepting payments on your mobile device only. These readers can be used as part of a larger system that includes additional hardware. Mobile credit card readers are useful for traveling businesses, businesses that frequent trade shows and businesses that simply want to accept payments from anywhere within their physical location.

How to accept credit card payments online

Accepting credit card payments online requires the use of what is known as a "payment gateway." Payment gateways are often provided by credit card processors, either directly or through a third party.

Typically, a credit card processor charges you an additional monthly fee for this service, so it's important that you only set up a payment gateway if you regularly make sales online. In addition to the monthly fee, some credit card processors charge a gateway setup fee and an additional per-transaction fee, so be sure to review each processor's terms and conditions before signing up.

How much does it cost to accept credit cards?

The price of each transaction varies based on the method by which a card is accepted as well as the pricing plan you've chosen. There are three main pricing models you are likely to come across in your research. They include

  • Flat-rate pricing: Generally a model of payment facilitators like Square or PayPal, flat-rate pricing includes fixed rates for certain types of transactions. For example, PayPal charges 2.7% for a card-present transaction, meaning the card was swiped at a physical location. For online transactions, PayPal charges 2.9% plus 30 cents per transaction. For a card that is keyed in over the phone, PayPal charges 3.5% plus 15 cents per transaction. The elevated price here is due to the increased risk of fraud associated with this payment method.

  • Interchange-plus pricing: This pricing model is based on the interchange rate paid by all credit card processors, plus a processor's markup fee. It is the most transparent model available because it is based on a universal rate. The markup, which is how the processor makes money, is usually negotiable in this pricing model.

  • Tiered pricing: This pricing model differentiates between "qualified," "midqualified" and "nonqualified" transaction types. Qualified transactions are generally basic debit and credit cards that are physically swiped at a terminal. These are the cheapest rates in a tiered pricing model. Slightly more expensive are midqualified transactions, which often include rewards cards that are physically swiped. Finally, the most expensive nonqualified transactions include premium rewards cards and card-not-present transactions, such as those you key in when you accept payment from your customer over the phone.

Of course, in addition to rates you pay for each transaction, the credit card processors that use the interchange-plus and tiered pricing models charge account maintenance fees. These include a monthly fee, a monthly minimum, payment gateway fees, a PCI compliance fee and various network fees. Some processors may also charge a setup fee, a payment gateway setup fee and other fees. These fees all vary from processor to processor, so request a breakdown of all pricing and fees in writing, then read the contract before signing it to verify that you're aware of everything you'll be required to pay.

What is the cheapest way to accept credit card payments online?

Determining the cheapest way to accept credit card payments online has a lot to do with your unique situation. A small business with less than $3,000 in monthly credit card sales is in different circumstances than a larger-volume business, and the processor that benefits one might be a detriment to another.

For the small-volume merchant, using a processor that has flat rates and provides its services on a pay-as-you-go basis is going to be more cost-effective than working with a processor that charges multiple account maintenance fees, even if that processor's transaction rates are lower. Once a small business eclipses $3,000 in monthly volume, though, a processor with lower rates might be more cost-effective, even with the associated fees.

No matter which type of processor you choose to work with, you should avoid long-term contracts. The best credit card processors offer month-to-month terms and don't charge early termination fees. Even though most processor contracts have a standard three-year term, most sales reps are eager for your business and will offer a month-to-month contract if you ask for it.

How do you accept credit card payments on Square and other apps?

Accepting credit card payments on mobile wallets or peer-to-peer applications should only be done when you know and trust the people sending payment. It is much easier for a customer to dispute transactions and recoup money using these platforms, whether it is Square Cash or PayPal. Freelancers working with well-known clients, however, can benefit from using peer-to-peer payments. To do so, simply set up an account and link your bank account to begin sending or receiving money to other users.

For established businesses that want to accept payments from a customer's mobile wallet, investing in an NFC-enabled terminal or card reader is the way to go. NFC-enabled readers allow you to accept contactless payments, so customers can pay with apps like Google Pay or Apple Pay while your business is more protected from chargebacks and transaction disputes.

Accepting credit cards is a customer service must

In the modern business landscape, it's imperative to accept debit and credit cards. Cards as a payment method have become so ubiquitous that many customers don't carry cash any longer. Accepting credit cards is a means of boosting customer satisfaction and driving more sales. Choosing the right credit card processor for your business can ensure that you not only keep your customers happy but that it doesn't cost an excessive amount to accept credit and debit cards.

How the Internet of Things is Impacting Health Care

Posted: 04 Oct 2019 10:00 AM PDT

The concept of the Internet of Things (IoT) entails the use of electronic devices that help to capture or monitor data and are linked to a public or private network, empowering them to mechanically initiate certain events.

In this article, we will study the context of IoT in the health care industry and come across the myriad of benefits it has bestowed upon it.

Internet of Things and the health care industry

Before the arrival of IoT, the patient's interactions with doctors were restricted to physical visits and tele and text communications. There was absolutely no way in which the doctors could continuously monitor a patient's health and suggest treatments accordingly.

However, with the introduction of IoT in the health care sector, patient care has undergone a paradigm shift, making superlative care accessible to all. The amazing IoT-enabled devices have made remote monitoring possible, empowering the doctors to deliver superior health care. It has also facilitated patient engagement by making interactions with doctors much more convenient and efficient. Furthermore, remote monitoring has greatly diminished health care costs by reducing the length of hospital stay and preventing re-admissions.

With the use of this technology-based health care system, the quality, and efficiency of treatments have improved. Today, there are numerous applications of IoT in health care that is benefiting patients, families, hospitals and doctors in a big way.

Benefits of IoT in health care

Simultaneous Reporting and Monitoring

Real-time monitoring of patients helps in dispensing quicker and more effective treatment. Reporting emergencies through a mobile app allows doctors to access information faster and offer high-quality care much before the patient reaches the hospital.

A smart gadget is connected to a mobile app that collects medical and all other necessary health-related data, such as oxygen and blood sugar levels, blood pressure, ECGs, weight, etc. All the data is collected and stored in the cloud and can easily be shared with the respective person, such as your doctor, a consultant or the insurance company, irrespective of their location, time and device.

Data assortment and analysis

Owing to the real-time application of health care devices, vast amounts of data is collected in a short time. Storing and analyzing this data manually would become an unimaginably hard task, if not for IoT devices.

IoT devices can collect, analyze and report the data in real-time, diminishing the need to store raw files. All this can easily happen over the cloud with doctors directly getting access to the final reports with graphs. These devices offer robust health care analytics and data-driven insights which are less prone to errors and help to speed up the decision-making process.

Tracking and alerts

Wearables and smart devices are dominating our lives by allowing us to monitor ourselves and optimize our health data. Today, there are a plethora of IoT-enabled wearables and implantable devices that seek to monitor patient's health. These devices are connected to various parts of the body to help doctors track patient's condition in real-time and offer hands-on treatments with improved accuracy.

Research

IoT can also be used for research purposes as it helps to collect a massive amount of data about the patient's health. All this assembled data can be used for the statistical study to support medical research. Through this research, newer and improved technologies and treatments are being undiscovered that enhance the quality of health care services received by the patients.

Significant applications of IoT in health care

With the evolution of IoT in the health care sector, several wearables and other devices have cropped up in the market that seeks to make the lives of patients much more comfortable. Let us learn about some incredible applications of IoT in the health industry.

Hearables

These are new-age hearing devices that have momentously transformed the way people suffering from hearing loss interact with the world.

Doppler Labs is a pioneer in the field that recently launched wireless and Bluetooth-compatible earbuds that come with a unique ability to cancel out all unwanted background noise. These amazing devices can amplify the voice of a particular person and even converse with individuals speaking in another language.

Smart pills

Edible IoT pills, also known as Smart Pills are small ingestible sensors that help to monitor medication in our body and warns us in case of any irregularities. These pill-sized sensors dissolve in the stomach and transmit a signal to a sensor worn on the body. This signal can also be transferred to mobile phones for easy access to the patients. These pills are especially helpful for diabetic people as it can help to curb symptoms and give early warning indications of the disease.

Proteus Digital Health, WuXi Pharma Tech and TruTag are some of the leaders in the space.

Computer vision technology

Computer vision technology coupled with Artificial Intelligence has helped in the evolution of drone technology. With this technology, one can easily mimic visual perception, detect obstacles and navigate around with ease.

The technology is increasingly being used to develop devices for the visually impaired to help them move around easily.

Moodles

These are head-mounted wearable devices that help to enhance the mood and keep the energy level elevated throughout the day. These devices transmit low-intensity current to the brain which uplifts the mood. Companies like Halo Neurosciences and Thync have made giant strides in this field by largely investing in the development of mood tables.

Some challenges associated with IoT in health care

If IoT in health care sounds like a dream rather than a reality, it almost is. However, sometimes in certain situations, the challenges associated with this technology nearly overshadow the benefits.

To begin with, security and privacy of personal data is the topmost concern related to IoT in health care. While most of today's devices use robust methods to communicate data to the cloud, they still could be vulnerable to hacking. A lot of companies are working towards integrating full-proof systems that ensure security in medical data storage. Even when this issue is resolved, the right implementation of technology will require exhaustive training for both the administrators and the physicians. Many health care enterprises do not have the time and resources to implement technology and offer adequate training to doctors.

Besides security, another challenge of IoT in health care is accessibility. Internet is not accessible to everyone, especially those who are living in remote rural areas. This technology is fairly expensive and beyond the reach of those in the low-income bracket.

For health care IT departments, the amount of data obtained through connected devices can sometimes be overwhelming. Consequently, the health organizations have to adopt smart IoT solutions to tame the data and use in the right way, which is again very capital intensive.

Bottom line

Despite the challenges, the future of health care will indubitably incorporate IoT. By improving parts of the already existing products and driving positive change in health care and to the lives of patients worldwide, this technology is revolutionizing the medical industry in unprecedented ways. With improved levels of connectivity and more sophisticated tools for collecting and analyzing data, newer scientific endeavors are possible every day.

Best Practices to Follow Before Applying for a Small Business Loan

Posted: 04 Oct 2019 09:00 AM PDT

Applying for a small business loan can be easy when done correctly, but there are many mistakes that small business owners make when they start the business loan application process.

Mistakes in a business loan application draw out the process and can even result in your loan application being declined. In this article, I discuss the best practices and common mistakes that are made in order to help business owners avoid them when applying for a loan.

Taking the appropriate steps, and avoiding these mistakes will save you time, effort, money and many headaches!

Understand your options

More than ever, business loans are readily available for small business owners. However, that doesn't mean that every option is optimal for your business. Before starting your research and looking for a business loan, first spend time planning what your business loan proceeds will be used for. Will you use the money for equipment? Are the loan proceeds going to be used for working capital? Do you have an expansion plan that requires funding? This is a very important first step before analyzing potential business loan options.

Why is this one of the most crucial steps? This is because you want to search for loan structures that align with the use of proceeds. An example of this would be the following.

Nancy owns a retail store that needs to purchase inventory for the holiday season. The inventory that Nancy purchases involves a three-month period from the time the inventory is ordered to the time that it's sold. Once the inventory is sold, Nancy won't have to use an inventory loan until the next holiday season.

In this situation, Nancy wants to search for a business loan that she can repay in three months and use again for the next holiday season. Nancy should search for a business line of credit that enables her to draw what she needs during the time she needs it, pay it back, and stop paying interest until the next time it's needed.

If Nancy started a broad search for business loans and ended up applying for a term loan to be repaid over multiple years, it would not align with her needs. Why would Nancy pay interest for multiple years for inventory that churns in three months? Instead by understanding her needs and researching her options, Nancy avoids unnecessary documentation, wasted time, credit pulls, and potentially getting stuck in the wrong loan product.

A second example of this would be if Nancy was looking to purchase equipment for the store. The equipment has a 10-year lifespan and doesn't immediately result in revenue for the company. In this scenario, Nancy would want to use long-term financing with low monthly payments.

Keeping Nany's payments low with a long-term equipment financing program will have little impact on cash flow, and it provides the necessary equipment for the store. Long-term needs require long-term financing, and short-term needs require short-term, flexible solutions.

To help you understand the different options that are available, here is a list of business loan programs and brief details about the products.

Editor's note: Need a business loan? Fill out the below questionnaire to have our vendor partners contact you with free information.

 

Business line of credit

The type of business line of credit that you apply for will impact both the timeframe and the document package. For alternative lines of credit under $250,000, the process to apply can take just 24 to 48 hours. If you are applying for a bank line of credit, the process will require a full document package, including financials, and can take as long as 45 days.

Asset-based loans 

This loan program relies on your business assets for collateral and is typically structured as an interest-only line of credit. The main assets that are used are accounts receivables (invoices), inventory and equipment. You can expect the process to take 15 to 30 days from application to closing.

Business term loans

Terms range from 24 to 60 months and take 10 to 14 days to complete the application and funding process.

Small business bridge loans

Bridge loans are often a quick and easy process, but have higher rates and shorter terms. Terms range from six to 24 months with the approval process taking 24 to 48 hours.

Invoice factoring 

This type of loan depends on many factors with your business. The time frame from approval to funding can range from seven to 21 days, and in many respects, is similar to asset-based lending and a business lines of credit.  

Equipment financing

Equipment loans are ideal for companies with smaller equipment needs that need financing for $250,000 or less. The process from application to funding can be completed within three to five days. For larger equipment needs, the process can take 14 to 21 days.

Know your credit profile

Two important credit factors that lenders look at is both your personal credit score and your business credit score. Both credit scores are weighted heavily in the underwriting process, and each lender has different credit requirements.

There are dozens of free services (Credit Karma is one such service) where you can sign up and learn your credit score. It's prudent to consistently check your personal credit to learn what your current score is, where you need to improve and how to boost your score for the future. Your personal credit score is far more important than most people realize. It's used when you apply for a home mortgage, a business loan, home utilities, such as cable and electric, a car lease, etc. A good score will help you lower monthly payments across the board!

It's more difficult to check your business credit score, but the factors that impact your business credit are the same that impact your personal credit.

Double-check that all of your vendors are paid current, your credit cards or loans don't have any past due balances or late payments, and that your credit utilization is a low as possible. Utilization is a major driver of credit scores; the higher your utilization, the lower your score. Common ways to check your business credit score are through Dun & Bradstreet, Equifax and Experian.

Be proactive, not reactive!

A common mistake that small business owners make is waiting until they need money rather than planning ahead. Being reactive versus proactive will have a negative impact on your business loan application, and can be the difference between getting approved and having your application rejected. Two things that frequently occur when you don't plan ahead are

  1. Poor cash flow: More often than not, a business's cash flow looks worse when business owners reactively apply for a loan versus planning ahead. Business owners tend to use available capital up until the point there isn't enough cash flow to support what's needed. Rather than waiting until this point, anticipate cash flow crunches, and apply for a business line of credit or term loan beforehand.
  2. Time constraint: This is an often overlooked benefit of planning ahead. Business loan programs that have lower rates and more attractive terms tend to require more documentation and take longer to get approved. When you plan ahead, you give yourself the ability to apply for the most attractive loan programs, instead of programs that are fast but have less attractive terms.

Prepare your financials

When you apply for financing, you will be asked to provide a list of documents for the lender to underwrite your business. The documentation that's required depends on the type of loan you are applying for.

As a rule of thumb, the larger the loan amount and the longer the term, the more information you can expect to be asked to provide.

Here is a breakdown and short summary of documents you can expect to be required.

  1. Business tax return(s): For almost any business loan application, the prior one to three years of business tax returns will be required. Showing profitability on your business tax return will help with your approval.
  2. Personal tax return(s): When it comes to longer-term financing, one to three years of personal tax returns can be required. This shows lenders what your personal income is and if there are other sources of income to enhance your credit profile.
  3. Profit and loss statement(s): Also known as a P&L, this document will be required with almost all types on business loans. A P&L will outline both your business revenue and expenses. A frequent request is for your businesses prior year-end P&L and a year-to-date P&L.
  4. Balance sheet(s): A balance sheet will be requested for the prior year-end and a current snapshot for a lender to understand what types of liabilities and assets you have in your business.
  5. A/R aging report(s): For B2B businesses that sell on net terms, an A/R aging is an important document that helps a lender understand who your customers are, if there is any customer concentration and if your customers pay within terms.
  6. A/P aging report(s): Opposite of the A/R aging report, which shows money owed to you, an accounts payable aging report shows lenders whom you owe money to, what your payment terms are and if they are being paid on time.
  7. Debt schedule: This document outlines all the outstanding debt that your company has. It shows who the creditor is, the original loan amount, current balance, interest rate and the monthly payment.
  8. Business bank statement(s): As straightforward as it sounds, business bank statements are required for lenders to understand what your cash balances are, the frequency of deposits and the historical cash flow trends of your business.

Don't rush. Take your time!

It's safe to say that nobody likes doing paperwork. Paperwork and administrative tasks are nonrevenue generating and, frankly, boring! However, taking your time to correctly fill out a business loan application helps you avoid a lot of headaches. Rushing through a loan application almost always results in doing double work. Forms need to be filled out correctly, paperwork needs to be supplied accurately, and information needs to remain consistent. Not only will this increase the likelihood of being approved for a business loan, but it also speeds up the process.

A quick business tip! When you supply organized, accurate and labeled paperwork, lenders tend to review your information before other business loan applicants!

Know who you are working with

Any time you are seeking business financing, it's critical that you know whom you are working with. In the business application process, you are supplying both personal and business information that should only be shared with reputable companies. There are many steps you can take to ensure that you are working with the best company. Here are three tips when working with a prospective lender:

  1. Check the company profile on LinkedIn
  2. Check to see if the company has online reviews
  3. Ask for references! If they provide a great service, they should be happy to provide client references.

A business loan can help improve your working capital, expand your business and take your company to the next level. There are a lot of small business lenders that provide great solutions, just make sure the one you choose is right for you!

Are You Prepared for Third-Party Cybersecurity Risk Assessments?

Posted: 04 Oct 2019 09:00 AM PDT

Picture this: You're looking through your inbox on a busy morning and find an email from your biggest customer with pages of questions for you to answer on your cybersecurity posture – the technology you have in place, how you train your team, how often you test your systems and more. It's a long questionnaire, you're not sure how to answer the questions and you're at risk of losing the contract if you don't provide the right answers. What do you do?

This request is called a third-party risk assessment, and it's becoming more common for small businesses. Filling them out – and having the security measures in place to answer the questions correctly – is increasingly a part of life for small businesses. In this article, we'll cover what you need to know about third-party risk assessments, including:

  • What a risk assessment is and why they are happening
  • Goals and components of a risk assessment
  • Results of successful (and unsuccessful) assessments
  • How to prepare for and complete an assessment

What is a risk assessment?

At its core, a risk assessment is a thorough review of the functions, policies and processes that an organization has in place, either internally or externally, and what risks they introduce to an organization. In a cybersecurity risk assessment, this typically means evaluating the risk of a cyberattack or data breach, but risk assessments can also cover compliance, operational and competitive risk. Risk assessments are frequently driven by regulatory or compliance needs, but increasingly, even non-regulated industries are beginning to evaluate risk.

A company can run a risk assessment of its own internal processes and procedures, but large businesses are starting to understand how their small business vendors' cybersecurity posture impacts them, and are increasingly running risk assessment of their vendors. This means B2B small businesses are under the gun.

This realization that vendors can be a danger is, unfortunately, an astute one. Small businesses collect a lot of sensitive data about their clients, often without realizing it. The sensitive data goes beyond credit card numbers. Here are a handful of examples of small business vendors and the sensitive data they store about their large clients:

  • Lawyer: Confidential legal information, documents, intellectual property (IP)
  • Marketing firm: Competitive analysis, marketing strategy, public relations communications
  • Accountant: Financial data, tax documents, employee and payroll details, banking information
  • Systems integrator: Security system maps and facility floor plans, security and process documentation, access points and configuration details
  • Manufacturer: Product designs, engineering schematics, input and output data, process data

Larger organizations and enterprise companies often have a lot of vendors competing for their business, and for security-conscious or highly-regulated businesses, cybersecurity can be an important component of the decision. Even as a small business, choosing a more security-minded vendor for your business needs can be a good way to reduce your overall risk.

What's in a risk assessment?

Third-party risk assessments often come in the form of a questionnaire and can be lengthy; some vendors have been asked to answer over 100 pages of questions on their security. Additionally, assessments often come out of the blue – they can be sent before the beginning of a contract or business deal or at any point during the working relationship.

Risk assessments vary, depending on the organization administering the assessment and the scope of the vendor relationship, but the core focus of the questionnaire is to figure out how the vendor is protecting the client's data. Covered areas often include:

  • Cybersecurity policies and procedures
  • Employee awareness and training programs
  • Data classification and storage
  • Technology protection and configuration
  • Penetration testing and other evaluation methods

Due to the volume and nature of the requests, IT teams or other parties are often required participants in the submission process. Depending on the questionnaire, you may be asked to provide supporting documentation of your technology, training and policies, as well as share the results of your testing.

In addition to a traditional questionnaire-style assessment, some companies are starting to use technology solutions to evaluate their vendors. These solutions run scans and compile publicly-accessible information about the company that contributes to risk. 

Results of a risk assessment

When you receive a cybersecurity assessment, simply not returning it is out of the question. The companies requesting these assessments often represent a significant book of business, so it's in your best interest to answer the questions promptly and correctly.

If you have proper security measures in place, a completed assessment can bolster your business. It can help differentiate your company from less security-conscious competitors and increase your client's confidence in your abilities. Additionally, it gives you a talking point with future clients during the prospecting and sales process.

On the other hand, if your business isn't prepared for the assessment, you may be in a tight spot. Failing to show adequate cybersecurity can mean losing the business relationship or contract. Additionally, if you submit an incomplete or insufficient questionnaire, the company requesting the assessment may return it to you, which may harm the business relationship and waste additional time.

The risk assessment is high stakes, but if you don't have the appropriate security controls in place, you shouldn't risk reporting false information. Not only is it bad for business and for client relationships, but it can also have significant legal impact and cost. As shown by Delta Airlines' recent lawsuit against their chatbot provider, the vendor could be under liability if there is a cybersecurity incident. In Delta's case, its chatbot company's poor security practices caused a data breach that exposed customer information, even after the vendor signed a contract stating that they complied with standards.

You received a third-party risk assessment. Now what?

Third-party cybersecurity risk assessments are a big deal for small businesses, and they're often due back to the requestor in short order. Scrambling to improve your cybersecurity while also answering the questionnaire is unlikely to be effective, so ultimately, the best strategy is to prepare ahead of time. Here are some steps to take: 

1. Deploy basic cybersecurity measures

Simply understanding the rationale behind cybersecurity assessments and putting in place basic cybersecurity measures goes a long way towards preparing for an assessment. Work to deploy a comprehensive cybersecurity program to protect your organization and to satisfy assessments, and confirm that you're meeting all compliance requirements for your industry. Prepare an internal team ahead of time to assist with assessments and help you work through the details. If you have questions about a specific piece of the assessment, don't hesitate to reach out to the requestor or to your provider – it's better to understand ahead of time than to submit an incomplete response. 

2. Prepare your materials

Keep your cybersecurity information, including any relevant documentation, in a safe place that you can easily access in the case of a third-party assessment. Move methodically through the questionnaire and answer questions thoroughly and honestly. Consult with your cybersecurity provider or IT team as needed. 

If your company frequently receives risk assessments, consider preparing a standard response package that details how your company aligns with common frameworks such as the Standardized Information Gathering (SIG) questionnaire and provides supporting documentation. This standard response is easy to submit and may be accepted by the requestor as a substitute for their questionnaire as-is or with shorter supplemental pieces.

3. Organize and submit your information

Submit your risk assessment using the method specified. Keep a copy for yourself in a safe place, as well as any notes for next time. In the case that there are any remediations or improvements necessary in the aftermath of the assessment, work to address them thoroughly through your cybersecurity program. Consider forming a company Standard Operating Procedure (SOP) for how to handle third-party assessments, including who takes responsibility for what portions and where the information is stored.

Third-party cybersecurity risk assessments can be complicated, but they're increasingly an important part of doing business in the B2B market. A little bit of preparation and diligence goes a long way towards a successful assessment – and towards protecting your business.

What Cities and Municipalities Must do to Protect Themselves From Ransomware

Posted: 04 Oct 2019 08:00 AM PDT

If you spend enough time in any industry you start to notice patterns.

I spend a lot of time in the cybersecurity industry, and I've noticed a pattern lately. Cities and municipalities are getting killed with ransomware.

This year alone has been a bloodbath. LaPorte County, Indiana, got taken for $130,000. Jackson County, Georgia coughed up a $400,000 ransom. Now, the officials in Baltimore took a different tack. They refused to pay the $76,000 to unlock their systems. To date, it's estimated the city has spent $18 million restoring their computer networks.

Of course, the mayors in these cities have seen this pattern too. That's why at their yearly conference, which represents over 1,400 mayors from U.S. cities with over 30,000 people, they adopted a resolution not to give in to ransomware demands. Apparently they haven't heard about Baltimore.

Do you know what resolution wasn't adopted at that conference? An agreement to follow best security practices to make sure they aren't victims of ransomware in the first place.

The cause of most ransomware

Yes, there are insider threats. Yes, there is vulnerable software. No, that's not the cause of most cyber attacks that lead to ransomware.

We know that somewhere between 91% and 93% of all cyber-attacks start with a phishing email. And 97% of all phishing emails deliver ransomware. In other words, just before you get hit by a ransomware attack, someone in your organization clicked on something they shouldn't have. If you can figure out a way to stop phishing, most of your problems go away.

The sophisticated nature of phishing attacks

When you spend a lot of time in the cybersecurity industry, you also gain an appreciation for how clever hackers are. I've seen a lot of sophisticated phishing exploits and my favorite is the one I call invisible links.

Targeting mobile devices, this technique incorporates an invisible link (using the opacity setting in CSS). The link is instead replaced by a "bothersome" graphic element that's made to look like a small hair or a speck of dust. This tricks the user into wiping the hair or dust off the screen which activates the link and launches a connection back to a rogue website. Or worse, releases some form of malware.

How cities and municipalities can protect themselves from ransomware

Many of the cities that get hit with ransomware are small, with small IT staffs and limited budgets. So, any solution to the ransomware problem must be affordable and easy to deploy. Here, I discuss three easy and affordable steps every city and municipality should take, immediately, to defend themselves from ransomware. These steps can also be used by small business owners looking to protect themselves against ransomware issues. 

1.      Employee security awareness training

Employees need security awareness training. There are four different types of training available, with the most effective being simulated attack with real-time feedback. With this method of training, simulated phishing emails are randomly sent to employees. If they fall for the phish and click on a link, they are immediately alerted to the fact. The education happens at the exact moment of failure, which is thought to be the best time for education reinforcement.

Employee security awareness training is essential, but it's not sufficient. Why? Because we know from research that after one year of continuous employee training, the best possible result is 98% effectiveness. And while 98% may sound good, in a city with thousands of emails a day, that's dozens (or hundreds) of clicks on malicious links a day.

So, why bother training employees at all? Because it raises their overall level of suspicion. As silly as it sounds, when it comes to cybersecurity in general and emails in particular, suspicious employees are good employees. You want your employees on high alert at all times and awareness training helps facilitate that.

How much does awareness training cost? Anywhere from free to a couple of bucks per employee per year. Well within the budget of any city, municipality or business.

2.      Cloud-based anti-phishing software

No matter how suspicious employees are, eventually some malicious link somewhere is going to get clicked. What's the best way for cities to protect themselves against that? Cloud-based anti-phishing software.

There are firewalls and there is antivirus software, but cloud-based solutions are better because all of the protection happens off site, before the email ever crosses the network perimeter. That gives it the opportunity to keep dangerous emails out of inboxes altogether.

Cloud-based anti-phishing software works simply by changing a DNS entry – which takes about 10 minutes – and rerouting all the emails to the anti-phishing software provider. Once there, the anti-phishing software does two things. First, it immediately scans the email for malicious content. It doesn't just scan attachments, it actually follows the embedded links to their destination to see if that website is malicious. And if it is, it quarantines the email so the recipient never sees it. Otherwise it forwards it.

The other thing anti-phishing software does, which is really clever, is to rewrite all the embedded links in every email to point to itself rather than the ultimate destination. Why does it do that? Because the most sophisticated phishing emails are not threatening when they are first received, and they only turn threatening sometime later. This is known as a delayed phishing attack.

When an email is first sent, if it appears safe, it gets forwarded to the recipients inbox. But what if the recipient clicks on the link in the email a couple of hours (or days) later, after the website has turned malicious? By rewriting the links and pointing them to themselves, the anti-phishing software can check the link in real-time, whenever it's clicked, every time it's clicked. If the link is good, the recipient is forwarded to the website. If it's not, it's blocked. This technique stops a lot of phishing attacks.

How much does cloud-based anti-phishing software cost? I found it for about 30 cents per employee per month. Did you think Baltimore wished they had spent that?

3.      Data backup

I'm writing this from a desktop computer in my office. For about five bucks a month, I have every one of the files on my computer backed up to the cloud in near-real time. If I were to fall victim to ransomware asking to unlock my computer for $10,000 do you know what I'd do? I'd go get a $1,000 computer, re-install all my software and download all my files from the cloud. I'd be back up and running in a day.

In cybersecurity, best practice is something called defense-in-depth. It simply means, put up as many barriers as you can to protect yourself. If employee training is the first barrier and anti-phishing software is the second barrier, then the third barrier has to be data backup.

No matter how good a city's defenses, there's always a chance they'll become the victim of ransomware, because hackers are just too damn clever. But there's no reason that the city's data should ever have to be at risk. Back up your data in the cloud. And make sure the provider you choose backs up their datacenter (most do).

How much does data backup cost? It depends on how much data and the feature set, but figure no more than a couple bucks a month for each employee.

Bottom line

If you're a city or municipality, phishing emails are hitting your employees' inboxes every day and many of them have a ransomware payload. Don't wait to get hit before you take action. Train your employees, invest in anti-phishing software and backup your data. They're all a lot cheaper than paying the ransom.
Posted by: at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)