Computer hacking has become front-page news lately, but many small business owners assume that because they’re small potatoes, have a firewall, and use anti-virus software they’re immune to a cyber attack. They're dangerously wrong. I know, because it happened to me.
Just last week two websites we operate to showcase our research and publications on telework for consumers and researchers were hacked. Someone managed to break in and insert code designed to steal credit card information. They didn’t succeed because we don’t keep any credit card info on the site, but we still had a huge mess to clean up.
With 30-plus years of computer and programming experience, I dropped everything else I was doing and spent several days unraveling what they’d done. As a result, I lost a lot of valuable time, but if we’d paid someone to do it, it would have cost us several thousand dollars.
It could have been worse.
A few years ago a $1 million online business closed, and so did a childcare business run by the owner’s wife, thanks to a series of computer attacks. A disgruntled former employee hacked the Web store’s site, stole customer e-mail addresses and sent lies claiming the online business was a front for pedophiles who were exploiting children at the childcare facility.
What’s striking are the kinds of businesses that have been hit: small manufacturers, building contractors, credit unions, hotels, diners and restaurants, coach and limo services, trucking companies and law, accounting and venture capitalist firms. In other words, if you have a website, you’re vulnerable.
Over the last five years there have been 78 major cyber attacks and tens of thousands of small ones against American business, government and educational organizations. Sony just spent $170 million mopping up after the PlayStation disaster. Security experts agree that a cyber 9/11 is likely; indeed, some say the only reason it hasn’t happened already is lack of terrorist leadership. What’s more, there’s evidence that foreign-made computer components are being manufactured to make it easier to launch cyber attacks.
Here are eight things you can do to help secure your business and mitigate loss if (when?) you're the target of a hacker attack.
Tip 1: Use strong passwords and change them regularly
Build the passwords you use, a different one for each log-in, with a pattern that you can remember without writing them down.
Small businesses often have high turnover, and that means they need to change passwords regularly to prevent a former employee or contractor from logging in and reading e-mails or mining your system for customer information.
Tip 2: Fear E-mail attachments
You know those cute pictures and interesting PowerPoint presentations people send you? They’re one of the most common ways bad guys pass around computer viruses. And just because an e-mail comes from someone you know, doesn’t mean it they actually sent it. A lot of e-mail addresses have been stolen lately and you really can’t be sure. Be particularly suspicious if the e-mail is sent to a long list of strangers.
Tip 3: Update anti-virus signatures
Anti-virus programs look at the contents of a file and search for a specific pattern of characters known as a virus signature. When a new threat crops up, anti-virus program companies create an updated set of virus signatures. Make sure your program is set to update automatically.
Tip 4: Define access rules
I was at a boring conference and entertained myself by seeing how many computers were protected. Most were broadcasting their Wi-Fi addresses, about half allowed some degree of access and three had no protection whatsoever. They were wide open. I left a text file on each desktop titled PeekaBooIseeYou.txt that said simply, “You really ought to use some kind of protection. For your computer, I mean.”
Tip 5: Remove software you don’t use
When our websites were hacked, I discovered a totally unnecessary and unused plugin (PHPmyAdmin) that was a known security risk. It’s gone now, but someone, or someone’s computer, still comes around several times a day, peeking in our Windows, looking for it. The doors are locked (as far as I can tell), but it’s still creepy.
Tip 6: Physical security is important, too
You may have done a great job with Tips 1 through 5, but if someone can walk off with your computers or external hard drives, what good has it done?
It works the other way around, too. What if someone brings in a problem? Amazingly, the now famous Stuxnet virus that apparently physically destroyed Iranian nuclear machinery was delivered by installing it on thumb drives, and then dropping them in the parking lot. Happy with their new, free, thumb drives, engineers carried them into the high security building, plugged them in, and the rest is history. Or maybe prologue. The virus is still in the wild, it’s mutating now that it’s available to all hackers, and it undoubtedly will strike again.
Tip 7: Back up, back up, back up
If a hacker ruins your computer system or website by destroying software, files, or folders, you have to recover quickly. Can you cope for several days while your systems are repaired and information is rebuilt manually?
Backups are your best insurance against intruder attacks (or a natural disaster). Especially when you keep copies off site.
Tip 8: Make sure you have insurance coverage
Cyber risks are not covered by standard property and casualty policies. Cyber insurance, however, is available to cover privacy and security liability, crisis management, business interruption, denial of service, lost income, cyber extortion and media or Web content liability.
Policies covering cyber risks are offered by many major insurance companies. Make sure you’re covered.
Nine of 10 businesses have been the victim of some form of cyber crime. If yours hasn’t, you’re lucky. Or could it be you just don’t know yet?