by David Gracey
Every week brings national news of yet another corporate security breach costing the company hundreds of thousands of dollars in damages and fines. With the vast resources spent on protecting the IT infrastructure of Fortune 500 companies, how is the small business supposed to protect itself on a limited budget? The answer is much simpler than you would think. Let’s start with the bad news first.
Just like a burglar who targets a home for a heist, if a bad guy targets your company’s computer network for electronic penetration, and has enough resources, there is not a whole lot that can be done to prevent him from gaining access to your system. And that leads to the good news: it is extremely rare for a small firm to be the target of a highly focused attack. The reason is that small businesses almost never have enough valuable information stored on their servers to become a target in the first place.
Recreational Hackers: Unlike hacker networks, such as Anonymous, or state-sponsored hackers centered around espionage (Google “Stuxnet” or “Flame Virus”), recreational hackers are guys (they are almost all males) who, if born in a prior generation, would have spray painted a bridge or vandalized a building. Nowadays, a kid (they are mostly under the age of 25) armed with average computer skills and Google, can access millions of vulnerable systems. Most are looking for recognition among the hacker community or simply enjoy the sport of it. Like destroying physical property, many hackers enjoy deleting data or rendering the computers inoperable. Needless to say, the casual hacker can cause your business real damage.
So the most likely threat you will face comes from the recreational hacker which is good news because there are several very simple and inexpensive steps that can be followed to greatly reduce your chances of being hacked. Hacking is a numbers game. There might only be a small percentage of vulnerable computers out there but if hackers scan thousands of computers, they will get a large number of targets.
This is how a hacker finds you: the first step is the hacker downloads a free software tool that is designed to scan vast numbers of computers. He can target a geographical area like Atlanta but most times he will just set it to scan all the computers in a given network which will generate tens of thousands of hits. After a day or so of scanning, the tool generates a report that shows all computers that fit his criteria, say all computers that has Microsoft Windows installed. His next step is to get another tool that will “knock on the door” to see what electronic ports are unprotected. Over the years, hundreds of bugs have been discovered in Microsoft Windows and patches have been released to fix most of them. The problem is most folks don’t update their Windows software very often (if ever) and the hacker’s software tools know how to exploit those bugs thereby gaining entry to your system. Once the hacker has his list of vulnerable computers, he can then manually take control of the remote computer and install other tools that allow him full control of the system. At this point he can do whatever he wants to the computer such as storing other files there, copying off or deleting all the data or doing other mischief. Once a computer system has been breached the only guaranteed way to ensure the computer is secure again is to wipe out all the information and reload everything from scratch.
If a computer on your firm’s network is compromised, the hacker then has the ability to begin taking control over other computers and servers on your network. The best plan is to be proactive and keep the hacker from breaching your security perimeter in the first place. There is no single security solution to protect everything. Instead, security is best managed using a multi-layered approach. You need several different protocols in place in order to minimize your risk of a security breach. Fortunately, the four most effective ways to secure your network are very easy and inexpensive to implement.
Install Software Patches: The most common way in which a hacker accesses a computer system is to exploit well-known bugs in the Windows operating system. Again, it’s just a numbers game. Over 90% of all computers in the world run Windows so hackers have a big pool to draw from and there are lots of pirated copies of Windows which cannot be updated.
Robust Firewall: A dedicated hardware firewall is your best defense against the public Internet. Firewalls come in many types and price points. While the $100 special that can be purchased from your local Office Depot can keep out many of the bad guys, what the job really calls for is a robust, business class firewall that has advanced intrusion prevention, built-in anti-malware capabilities and detailed reporting. Additionally, it needs to be monitored by an IT expert who knows what to look for.
Anti-Virus software: Good anti-virus software has been around for years, but as the threats have evolved, so has the anti-virus software. Pick a market leading provider such as McAfee, Trend Micro or Kaspersky. Make sure it’s installed properly and monitored by your IT guy to ensure the definitions are updated at least daily.
(Not so) Complex Passwords: A hacked database last year revealed passwords for millions of online accounts (see RockYou.com). The top 10 most commonly used passwords, 12345 (number two on the list) or 123456 (number 1) or similar strings make up five of them. “Password” is the #4 most commonly used password. (Really? People still use ‘password’ as a password?) Having a good password for all computer accounts is one of the toughest to implement. There is always someone, usually a partner or owner, who wants to keep his password as 1234 or worse, blank. Since security is only as good as its weakest link, this habit must change. Hackers use “dictionary” attacks to continue trying common words in our vocabulary so we’ve got to make it tougher for them. I’m not asking folks to use a long, highly complex password of mixed numbers and symbols, but rather take a word you know, preferably at least 8 characters long, and just replace a letter with a number and add a capital letter. So for instance, a simple password like “lawfirm” can be made much harder to crack if it is changed to Lawf1rm.
Being the victim of a security breach is bad for your business, your clients and your reputation. Putting in place a few simple steps can greatly reduce your risk of a data breach. Most importantly, having someone at your firm asking your IT guy the tough questions and holding him accountable is a critical part of keeping your system secure.