Christopher D. Roberti Christopher D. Roberti
Senior Vice President for Cyber, Space, and National Security Policy, U.S. Chamber of Commerce
Lance Johnson


July 27, 2018


Simply put, American companies and consumers are under attack. Cybercrime costs the global economy more than $400 billion annually, according to a report by McAfee and the Center for Strategic and International Studies. Although it is a global problem, the U.S. has the most reported data breaches of any country by a wide margin.

We are fortunate to live in a country with a robust economy where consumers engage in trillions of dollars of transactions every year. Yet it is that very activity that makes the U.S. ripe for global cybercriminals working 24/7 to steal information. Cybercrime is now the second most reported crime globally, according to PricewaterhouseCoopers (PwC), and all indications suggest that trend will continue.

There is no one type of cyberattack. While methods and attack vectors evolve, they do not go away completely. They can be straightforward or sophisticated and vary tremendously. Moreover, the tools that criminals use are clever and powerful and include malware, phishing, and ransomware, among others.

The U.S. Chamber of Commerce is working to raise awareness of the hazards associated with these tools and methods, which together place businesses at increased risk.

While we hear of the newest attack almost daily, much of the real damage is caused by smaller attacks, many of which can be prevented by easy fixes. These fixes make sense to us in the security industry, but they are not as well understood by the general public. A simple, but real, example is not to use the word "password" as your password. That may seem obvious, but "password" and slight variations are consistently found to be among the most common passwords on private systems.

What this means is that we need more education and an emphasis on best practices. The U.S. Chamber believes that investment in sound cybersecurity best practices can lead to strong, positive outcomes for all companies. However, we also face a growing shortage of cybersecurity professionals. Our adversaries are growing in number and in sophistication more rapidly than we can recruit, train, and deploy cyber defense professionals. By 2021, there could be as many as 3.5 million unfilled cybersecurity jobs around the world.

Small merchants are especially challenged. They can least afford the skills to protect themselves or their loses from a successful attack. Nevertheless, the U.S. Chamber sees quality cyber practices not as a drain on business resources but as an add-on. Often, small merchants feel that they are on their own when protecting themselves from cybercrime. Not surprisingly, criminals see small businesses as easy targets, as demonstrated by an increase in attacks on them.

Since we know these attacks are coming, the time to act is now.

The good news is we know where most small merchants are vulnerable and how to better improve their security. According to a Verizon report on data breaches, the overwhelming majority of breaches against businesses are the result of three primary failures: weak passwords, poor patching, and remote access. These problems all have simple solutions that merchants and their business partners can apply.

The PCI Security Standards Council has worked with the business community to develop guidance and recommendations to specifically help merchants. These recommendations simplify payment security and provide specifics on how to significantly reduce risk, as outlined in the categories below.


According to the Verizon report, four out of every five hacking-related data breaches leverage stolen and/or weak passwords. It is critical for merchants to always change default passwords to strong passwords (difficult to guess) and update them regularly.

PCI Security Standards Council infographicPayment Data Security Essential: Strong Passwords


Software vendors issue patches to fix known vulnerabilities. Merchants must install these patches to prevent criminals from hacking into systems using those vulnerabilities. Identify which third-party vendors send you patches and install them as soon as possible. Waiting dramatically increases your risk.

PCI Security Standards Council infographicPayment Data Security Essential: Patching

Remote Access

Point-of-sale (POS) vendors often use remote access to support merchant payment systems without visiting the business location. But remote access allows anyone with the proper credentials to access systems. Know who has access to the systems and limit the use of remote access. Make sure that all third parties have strong, secure credentials.

PCI Security Standards Council infographicPayment Data Security Essential: Secure Remote Access

By addressing these three critical areas, merchants can better protect themselves and reduce their exposure to nonstop attacks. Working together, we can harden our defense, protect payments more robustly, and make it more challenging for cyber criminals to profit from their malign activities.

Editor's note: The third paragraph was edited to clarify the cyberthreats to business.

About the authors

Christopher D. Roberti

Christopher D. Roberti

Christopher D. Roberti is senior vice president for Cyber, Space, and National Security Policy at the U.S. Chamber of Commerce.

Read more

Lance Johnson