Computer Column #348
John P. Reid, [email protected]
Hackers recently made major information data breaches at large corporations (www.identityforce.com/blog/2017-data-breaches). Small businesses are not immune. Antiques malls often have computer point-of-sale, inventory, and dealer payment systems that are hackable. Sure, the local antiques mall is not as tempting a target as Equifax or the U.S. Securities and Exchange Commission, but a small-time crook, dodgy competitor, or disgruntled employee can cause damage. Auction houses, antiques shops, conservators, and appraisers are vulnerable as well.
What would you say to your customers or mall booth holders if their personal information were stolen?
Three publishers of antiques mall software with whom I have dealt for years were consulted: a representative of SOS for Windows (www.antiques-sos.com), Jason Lorde of the Art and Antique Information Network (www.aain.com), and Bruce Lowry of the Antique Mall Accounting System (www.antiquemallsoftware.com). Lowry’s early mall software was reviewed in column #5 in 1989.
When asked about mall software security, all instantly returned similar suggestions—so similar that I will merge them. Further suggestions have been added from my experience and from the Internet. Most suggestions are applicable to any small business.
All correspondents agreed that much hacking starts in the house. Perhaps an innocent employee clicks on a link in an e-mail, which opens your Internet account to an outsider. Less innocently, an employee or visitor copies sensitive information for personal gain.
Thirty years ago, I joined an antiques co-op. I was given a short talk on counting change and looking for counterfeit bills when my first turn to run the shop came up. Today’s complexities demand more. Printed work rules and security training should be given to each employee or partner.
There should be levels of passwords. For example, a point-of-sale clerk does not need access to financial records. Individuals’ passwords should be strong and not guessable. Employees should be told not to share passwords. Passwords should be changed frequently. The system supported by one of my correspondents actually assigns the passwords. If there is reason to believe that passwords are compromised, they can be changed en masse in a few hours by the publisher’s tech support. Users of other software can have a procedure to do this on their own.
Employees and customers should not be able to browse, text or e-mail, use social media, search the Internet, or play games on their own laptops or mobile devices over the Wi-Fi used by the store computer. If such service is required, a separate Wi-Fi account and router should be used. They should not be allowed to use their own devices on store business.
Physical security of the store computer is important. A locked room is best. A knowledgeable person can quickly search an unattended computer and copy files to a thumb drive, memory chip, portable hard drive, or mobile device. Turn off the computer when the store is closed. Knowledge of the procedure and password to start up the computer each day should be limited to trusted top personnel. If more than one computer is needed to support point-of-sale stations, networking should use the operating system’s native sharing tools such as Windows Server, not the Internet. If the shop has surveillance cameras, one could be aimed at the computer.
Consider investing in a part-time IT (Information Technology) consultant. It did not involve antiques, but for 20 years I was a volunteer and officer at a nonprofit member-owned figure-skating and hockey rink. The annual budget was in the high six figures. A lot of that was electricity and equipment maintenance to keep a 175' x 85' sheet of ice frozen all year. However, we found money for an on-call IT consultant who set up, secured, checked, and repaired the club computer system. It was well worth it.
Protect your Wi-Fi with strong passwords and security protocol (usually WPA2). Change the password periodically. Hackers can buy software to steal passwords. When the Wi-Fi is installed, immediately change the router (the box with flashing lights) username and administrator password. As administrator, elect to hide the router’s name, the SSID (Service Set Identifier), from the public. Do not set the computer to automatically connect to Wi-Fi. Require manual connection to prevent log-on to a phony Wi-Fi set up to target you.
Have good virus and malware protection installed. Free protection programs may not be adequate. Keep the operating system and the protection system up to date. Use the latest version of the operating system on which your mall software will run. Many recent breaches, including those at British hospitals, have occurred because companies were still using Windows 7 instead of the safer Windows 10. These steps will counter outside hackers as well as inadvertent threats introduced by a careless employee or owner.
Make data backups every day at closing time. Invest in software and a cloud service to do this automatically. Better yet, use an automatic system to continuously back up files. Also, complete image backups should be made periodically and stored remotely so the operating system, software, and data can be restored in case of computer theft, flood, fire, or ransomware attack. Many small businesses in Houston, the Florida Keys, and Puerto Rico might wish they had done this.
Do not store customer or dealer information that is not necessary. Credit card information is best entered at the time of sale and then deleted. Social security numbers are necessary only for preparing dealers’ and employees’ tax statements. These are best stored in a separate payroll accounting system.
If periodic newsletters or sale announcements are e-mailed to customers or dealers, office personnel should know how to send mass mailings without the entire mailing list being revealed to each recipient in the e-mail CCs (carbon copies). Mailing software differs in method.
An Internet source suggested that shop owners plant bizarre fake customer and dealer names and inventory items in their databases. If a breach occurs, a skilled Internet search engine user might get a clue about who stole the information. There does not seem to be evidence that this has worked, but it costs little.
Finally, prepare a plan of action in the event a breach occurs. A lawyer may have suggestions.
Column #338, published in the February 2017 issue, described Affinity Photo, a new photo editor that competes with Adobe Photoshop and Corel PaintShop Pro at the attractive one-time charge of $49.99 (www.affinity.serif.com/en-us/photo). It has been a prize-winning application on Apple Macintosh since 2015 and became available for Windows in 2016. I have gradually switched to it for photo editing. It is not easy to learn, but there are hundreds of short videos showing how to use its features. Affinity Photo is now available for the Apple iPad for $19.99 (www.affinity.serif.com/en-us/photo/ipad).
Cyber security posters can be created with a word processor from ideas and clip art found by Internet search. This poster may be downloaded at (www.jnjreid.com/jpr_348.pdf).
Originally published in the December 2017 issue of Maine Antique Digest. © 2017 Maine Antique Digest