How to Protect Your Small Business Against a Cyber Attack
The Seattle hacker drove a black Mercedes. He owned a Rolex. He liked to frequent a downtown wine bar. While it's easy to think of cyber criminals as faceless, digital pickpockets in far-flung countries, the reality is that they are among us. In one notorious case, a bandit and his gang of cyber crooks compromised at least 53 Seattle-area small and medium-size businesses between 2008 and 2010, stealing enough data to cause $3 million in damages to the companies, their employees and their customers.
"This wasn't the type of crime that we anticipated," tech-company employee Alec Fishburne said at a news conference (where the Seattle victims agreed to be identified but asked that their businesses remain anonymous). The gang hacked Fishburne's firm from another office within the high-rise building. He became aware of the breach after noticing some unusual financial transactions. "It was very disconcerting for a small company … to wonder whether there was some internal fraud or embezzlement happening," he told reporters.
Another Seattle company was hacked after its old laptops were stolen in an office break-in; about a month later, funds were siphoned out through fraudulent payroll accounts. A third victim had the identities of almost all its employees stolen when the hacker gang cracked the company's network security. "It's enraging, because you think you have a system that's going to work," said the company's president. "These guys are really smart and ambitious, and that's a tough combination."
At least that company had a network security plan. Many others don't. According to a 2012 nationwide study of small businesses by digital security firm Symantec and the National Cyber Security Alliance (NCSA), 83 percent of small businesses have no formal cyber security plan, while 69 percent lack even an informal one. Meanwhile, 71 percent are dependent on the internet for daily operations, yet almost half believe data hacks are isolated incidents that won't have an impact on their business.
They couldn't be more wrong. According to Symantec/NCSA research from 2011--the most recent year available--cyber attacks cost small and medium-size businesses an average of $188,242, and almost two-thirds of victimized companies are forced out of business within six months of being attacked.
It doesn't have to be this way. The best defense against cybercrime is making hackers sweat for their spoils. According to a Verizon study of data breaches in 2011, more than 80 percent of victims were targets of opportunity--which means they did not protect their Wi-Fi systems with passwords and otherwise had poor security, if any at all. So make yourself a difficult target and keep your business secure with these six steps.
Encrypt your data.
Whether it's bank routing digits, credit card accounts or employee social security numbers, this type of long-gestating company-held information is what hackers use to steal money. "Anytime you're storing important data, when the data is at rest--which means it isn't being transmitted over the internet somehow--you want it encrypted," says Steve Cullen, senior vice president of worldwide marketing SMB and .Cloud at Symantec, which puts out the Norton anti-virus software.
Lance Spitzner, an instructor at SANS Institute, a Baltimore-based security research and education firm, recommends turning on full-disk encryption tools that come standard on most current operating systems. (On Windows-based PCs, the feature is known as BitLocker; on Macs it's called FileVault.) Activating the feature takes only a few minutes; once on, it'll encrypt every file and program on the drive with no noticeable performance lag. But there is one catch: The encryption applies only when users are logged out of the computer. That means hackers can still attack through viruses and malware while the system is running. Setting computers to automatically log out after 15 minutes without use helps enforce this measure.
The worst-case scenario if you don't follow these procedures? You don't encrypt your drives, but a devilish hacker does. By breaking into networks and encrypting businesses' data, some cyber criminals have held companies hostage virtually, demanding a ransom in exchange for the password.
Secure your hardware.
Of the Seattle-area companies that were hacked, more than 40 had their physical premises broken into by burglars who grabbed electronic equipment. In one case, the gang snatched more than $300,000 in servers, laptops, cell phones and other items. Security cameras recorded them using handcarts to haul loads of equipment to a van over a four-hour span.
For burglars who are not scared off by security alarms and motion detectors, physically locking down computers makes their job tougher. Few people feed a cable through their computer's Kensington lock port (the small metal loop found on most laptop and desktop devices) to secure it to their desk. Sure, they're relatively easy for a thief to circumvent, but the extra effort could tip the odds in your favor. "That little bit of time is something criminals usually don't want to take," Cullen says. "Time is the enemy for anyone breaking into a physical premises."
Make network storage safer by using Kensington locks or employing more robust solutions, like rack-mounting hardware and keeping server room doors closed and locked. Vancouver, Wash.-based CRU-DataPort makes several servers that can be secured with locks, USB security keys and even hardware-based encryption, ensuring that if drives are stolen, they will be unusable to the thieves.
There's also tracking software--important if your business runs on mobile laptops in the field. The tracking firm Prey uses a variety of methods to locate anything from a cell phone to a server, password-securing the machine if it goes missing and even snapping and sending pictures of the thief if the stolen device has a webcam. Low per-month rates make the small, covert program a must-install for any device that can access business data and company networks.
Lock your network.
Many hacking victims are compromised via Wi-Fi networks, through a technique called "wardriving." In cars outfitted with high-powered antennas, hacker gangs drive around cities, scanning for unlocked or poorly protected networks. Once a vulnerable Wi-Fi hot spot is found, the crooks are as good as in the company's front door, scouring machines on the network for passwords and financial data.
The best defense against exploits like wardriving is to have no wireless network at all. Wired networks, while less versatile, are more secure, because users have to access them by either plugging into physical outlets or hacking modem ports. But if your company must have a wireless network, disable the service set identifier (SSID) broadcasting function on the wireless router. This creates a cloaked or hidden network, invisible to casual Wi-Fi snoops and accessible only to users with the exact network name. Small businesses like coffeehouses can also do this--just periodically change the network's information and place a small sign near the register with the current network name and passcode.
If you're using Wi-Fi, update it to the latest encryption standard. Some Seattle wardriving victims had enabled Wired Equivalent Privacy (WEP), an easily cracked algorithm that fell out of favor almost 10 years ago, and thought their networks were secure. WPA2, the current standard, has a longer encryption key that is more difficult to break into. To make your data even safer, create a nonsense password with numbers, special characters and capital letters. Says Cullen, "They'd need a computer working on it for a million years to crack the code."
Install anti-malware and anti-virus protection.
When wardrivers are successful in cracking a wireless network, they can log in and infect connected computers with malicious software or viruses. But it doesn't take a Wi-Fi connection to plant this software; spam e-mails and harmful websites push it to computers all the time, and if the efforts are successful, the malware can install code that runs in the background, capturing keystrokes and login information and relaying it to the hackers. According to Verizon's study, malware was used in nearly half of data breaches in 2010 and was responsible for almost 80 percent of records stolen.
"That's probably the No. 1 money-generating technique the bad guys use," SANS Institute's Spitzner says. "Anytime you visit any type of website that requires a login and password--Facebook, your bank, payroll, whatever--malware will harvest your information and send it to the bad guy," he says. "The bad guy will turn right around, log in as you and do all his evil stuff."
Most malware is installed through network security hacks, but being vigilant about cybercrime is as much about anticipating tomorrow's threats as it is defending against today's. E-mail phishing, spoofing and apps that access social media accounts are popping up with increasing regularity. Loading anti-malware and anti-virus protection on your machines--that goes for mobile devices as well--and running it after every software install can help ensure these threats don't take. Also, keeping programs and hardware up to date--from upgrading to newer routers and computers to immediately installing browser updates--blocks malicious worms that thrive in older equipment and out-of-date software.
Educate your employees.
If a computer on your network becomes compromised--whether the intrusion came from an internal fantasy-football e-mail or through a nefarious Facebook app that an HR administrator clicked on during lunch--your entire operation is at risk. "You shouldn't be the only one vigilant about protecting your and your customers' information," Symantec's Cullen says. "Your employees should all be on the lookout, and you as a small-business owner should be there to give them some guidelines."
Keep employees informed about threats through brief e-mails or at periodic meetings led by your IT expert. The first step, however, is to write out a formal company internet policy, setting acceptable and prohibited online activities for employees--an exercise that a distressingly small 10 percent of companies follow, according to Symantec/NCSA. For example, prohibit employees from opening e-mail attachments or clicking on links that don't pertain to company business. Or limit personal e-mail access to personal smartphones via the employee's wireless connection, not the company Wi-Fi.
Enlisting an outside expert can improve your odds of deflecting an attack. Though it may seem counterintuitive, small businesses can limit their exposure to cyber criminals by signing on with internet-based data-security vendors--especially as the quality of cloud-based business services evolves. "They can offload a lot of the burdens that a small business doesn't, frankly, want to deal with," says Cullen, who ran his own company before joining Symantec. "I know it wasn't something that I wanted to spend two minutes thinking about."
But do your homework: Read the vendor's terms and conditions to determine who is actually responsible for protecting your data. For instance, with online credit card processors, make sure they comply with Payment Card Industry Data Security Standard (PCI DSS) requirements; otherwise, you could be on the hook for customers' damages if you get hacked.
At the extreme end, you can move responsibility for your technology infrastructure to a managed service provider (MSP) that will maintain and secure your company's systems remotely. The MSP will be responsible for backing up your files on its servers, updating firewalls, encrypting data and making sure everything's running smoothly.
And when things go bad, it'll take the hit for the damages.
Back in Seattle, the police did finally nab the group behind the rash of cyber thefts. And they did it through old-fashioned detective work. One member of the gang was caught using a stolen gift card, lifted during an office burglary. He was arrested at a wine bar and led police to an antenna-mounted Mercedes and eventually to his two accomplices. Sentenced last summer, the three are now serving a combined 22 years in prison and will have to pay restitution to the victims.
"Beyond the fraud and physical damage, there are costs without a price tag: the violation of the sense of security for their customers, employees and owners," noted prosecuting U.S. Attorney Jenny Durkan. Not to mention the dreams of the many entrepreneurs who were put out of business.
You've Been Hacked. Now What?
The warning signs are clear: If you see a huge money transfer going to an account in Russia or somewhere else where you don't do business (in one Seattle case, it was North Dakota), contact your bank immediately. "The sooner you identify an incident, the more likely you'll get your money back or minimize the damage," says Lance Spitzner, an instructor at Baltimore's SANS Institute.
If your company's computers are stolen or tampered with, call the local police. They may know of similar incidents, can investigate deeper and will contact the appropriate authorities, including the FBI and the Secret Service, which maintains an electronic crime task force. But most important, at the first sign of any intrusion, change your passwords and keep an eye on your balances, from business funds to personal and employee accounts.
Want to fight back? Try installing Mykonos web security software on your network. The programs from this San Francisco-based company aim to deceive the bad guys by reverse-hacking: sending criminals on wild goose chases with falsified information that's too attractive to ignore, bogging them down with misinformation until they give up and leave or literally slowing down their machines to the point that they become useless.