But, I’m compliant…

I live in a rural area so a fair number of people roughly understand what I do for a living. I frequently get asked questions because well, people are curious. Cybersecurity is everywhere you look including the headline news. Hacking sounds insanely cool even if it is overly glamorized at nauseum on TV and in movies. This used to really annoy my wife because we would inevitably go out for a nice dinner without the kiddos and someone would start asking questions. All these years later, and I think even she has finally gotten used to it. 

All of that to say I was approached by a restaurant owner at a lunch spot a while back regarding their business’ cybersecurity. We chatted and I explained TreeTop offers a low cost, comprehensive cybersecurity pIatform designed especially with small businesses in mind. I gave them a card and they said they would be in touch. No big deal. 

I went back quite some time later. The owner said they really need to figure something out. They want to do something about cybersecurity because they think it *might* be an issue, but right now they were experiencing all sorts of issues which were more on the IT side of life. They called one IT place and were told everything was ok. They called another and they provider said the same thing, but the wireless just wasn’t working right. I explained I don’t do IT anymore (long story that involves a non-compete agreement), but I would take a look at it at some point as part of the TreeTop SMB cybersecurity platform. Yes, wireless is a vital part of general security as well as our cybersecurity platform. 

Real quick… If you’re not sure what PCI is, it stands for Payment Card Industry. If you own a business and accept credit cards, there is a really good chance you are “supposed” to be PCI compliant. And now, back to the story! 

After I stated that about wireless and IT, the owner re-stated that they want to get better at cybersecurity… eventually. In fact, I would say he was near excited when explaining how they recently went through a PCI security assessment/questionnaire and quarterly external scan. Pop out the champagne because they're compliant! 😉 I laughed because I heard this song and dance before, but I didn’t say anything. So the owner took my credit card so they could run it for our meal. In those few minutes, I figured I would scan their wireless and hop on their guest network to see if I saw any issues. It would also give me an opportunity to see if they had minor security issues. 

Pop out the champagne because they're compliant!

This is where the story takes a slight turn and I remind our readers that compliance is not equal to secure. After hopping on the guest network, I was greeted with the network scan found in the picture. This output is from a really simple program called Fing that you can download to your smartphone. WHAT?!?! Yes, that’s a server, point-of-sale registers, and much more all on the guest network. To be quite honest, I was even a little surprised. When the owner came back, I showed what I found and they were dumbfounded. “How can that be? No one has the password to the private network except key personnel?” Unfortunately, whoever set it up didn’t bother separating the guest network and the private network. So while people “thought” they were connecting to different networks because of the different SSIDs (wifi names), but in reality they both were dumped on the exact same network. Major whoops! 

At the end of the day, PCI compliance is no joke. If an incident occurred on this network, the business could have been fined out of existence. Small businesses need comprehensive, ongoing security at prices every small business can afford.

Small businesses need Peak, the small business cybersecurity platform. Need help securing your business? Please keep TreeTop Security and the Peak platform in mind for a better approach to small business cybersecurity. We provide cybersecurity peace of mind for small businesses.