Cyberattacks are in the news every day. “Hackers,” operating as individuals and loosely-integrated teams, continually attack corporations and government agencies for reasons ranging from sport to financial gain. In October, Governor Nikki Haley announced that South Carolina’s servers were compromised and more than 3.6 million social security numbers and 387,000 credit card numbers were stolen.
Small and medium-size businesses are often very vulnerable, because they lack the sophistication, resources and infrastructure to protect their data and information and those of their customers. A recent poll showed that less than 15 percent of small business owners felt that they had adequate protection for their IT systems, but only 10 percent were planning to make major IT investments this year to reduce their risk and exposure.
In small businesses, a few people often do many different things. The company “IT guru” often maintains the web portals and sites, social media pages, email server, phone system, router, server, and firewall as a collateral responsibility—often with minimal or no formal instruction. In addition, a small business typically does not have a large IT budget, so the guru often uses whatever works to keep everyone up and running. This leaves dangerous gaps in the company’s digital armor and puts everything at-risk.
So what can a small business do to protect itself? Well, it’s a combination of educating the work force, making prudent investments in technology, and implementing a set of best practices for safeguarding data.
Over the next few issues, we will describe some simple things that you can do to reduce your risk of a catastrophic breach in your IT infrastructure. So let’s get started with the ubiquitous IT tool: email.
Hackers often use email to exploit their victims because it easy and effective, and there are many options available to dupe the unwitting email recipient. The hacker simply attaches a virus, trojan horse, key logger, or other malware to an email; disguises or embeds it in Adobe Acrobat, Microsoft Office or other common file type; and then makes it irresistible to open or launch—such as naming the file “Company Salaries and Bonuses for 2013 / HR Confidential / President Eyes Only”
Nearly everyone who receives such an email will open it. Once opened, the malware is uploaded and the hacker then owns that machine and assumes all the authorities assigned to that user. Company confidential information is immediately and continuously stolen with the malware running in the background and without the user’s knowledge.
Often, the hacker uses the compromised machine to then attack the system administrator from the inside, which is significantly easier than from outside a firewall. If the system administrator account is compromised, the small business is going to pay a significant price—in lost sales, damaged reputation, or capital expenditures to reclaim/replace most of its IT equipment or all of the above.
To reduce your vulnerability to email exploitation, there are a few simple things that every small business owner should consider:
• Subscribing and maintaining an annual service agreement for virus protection, anti-spyware and personal firewall and ensuring that the settings allow for automatic updates. Products such as Norton 360 provide a comprehensive protection for less than $100/year per user. This is very intuitive, but many companies do not subscribe after the trial period or unknowingly allow the agreements to expire.
• Transitioning to a cloud-based email service and re-routing your incoming and outgoing email traffic through a third-party service to scan for spam, viruses, phishing scams, directory-harvesting, and denial-of-service attacks. McAfee and Symantec are two of the leaders in email protection. Their solutions are very affordable, relatively easy to setup, and do not require new hardware. Once their service is active, it is a very effective for sanitizing emails and requires little or no continued maintenance or support.
• Require your employees to use a two-step login procedure. Email accounts are often exploited by a hacker that “guesses” a user’s password using available information. A two-step procedure requires the user to use a complex password and another means of digital identification such as a coded message sent via SMS to mobile phone or key fob.
• Lock and encrypt your mobile devices. Email user account and password information is readily accessible from a smartphone. Most people will enable the password feature on their mobile device, but if that device is lost or stolen, the password is easily bypassed within minutes. To protect your email account information and other data stored on the mobile device, it is highly recommended that you activate the option to encrypt all data—including that on the SD card. Consult your user guide for instructions on this simple procedure.
In the next edition, I will make some recommendations for protecting your identity while online.