SelfInformed

May 2016


Cyber Security & Data Hacking

Friday, May 27, 2016



Here we provide some guidelines and specific tips on what businesses can do to help protect their own and their customer’s data. We explain what some of the dangers on the internet are, dispel some misconceptions about password management, stress that two-factor authentication is absolutely essential for security, emphasize that you need a forensics partner, and explain what banks are doing or not doing to help keep credit cards safe.

The Danger of the Internet

Over the past few decades, the internet has definitely shoved business far ahead in productivity. It has opened new markets, created new businesses, and let businesses interact with their customers more effectively. But the internet is a dangerous and hostile terrain today as criminals have flocked there too. Given that hazard, you and your business need to learn about the risks of working online to protect your customers and yourself.

Small businesses and entrepreneurs of all sizes have a responsibility to keep data safe. In some cases it is the law, like HIPAA and SOX. Everywhere else it is just necessary if one does not want to suffer litigation or other damage to their business or customers’ business. It does not matter whether the business has 10 customers or 10,000. It does not matter whether a company sells high-tech products or low-tech ones nor does it matter if that business has 1 technical support person or 100. In all of these situations companies process data via computers, most of which are connected to the internet. There is inherent risk in that because of cybercrime.

Even the largest, most technically adept businesses get hacked. So does the military and government. That means there is nothing that is hacker proof. So if a vendor tells you that they can guarantee that they will protect your data 100% of the time, go find another vendor.

Defense is the Best Offense

There is really no difference between being hacked and having viruses on your computer. The former term sounds more serious. But they are the same. This is because hackers use viruses to steal data. A computer virus can be a small annoyance that causes pop up ads or it can be something more complex designed to turn your computer into a robot to attack other computers. Or it can steal an entire database, record customer transactions at a checkout terminal, or record keystrokes.

Given that definition, the best way to approach cybersecurity is to assume that you already have been attacked. (Statistics say you probably already have been attacked and don’t know it. The graphic below shows that from 33-43% of computers in the USA have a virus right now.). The only question is to what degree you have been hacked, meaning what kind of attack are you suffering.

The defensive posture prepares you to react in a calm and controlled manner when a really large attack occurs. Then you won’t do what SONY did when it was attacked by North Korean hackers. They simply unplugged everything, shut down the business, and called for help. They were completely caught off guard, so that is what they did.

Working from the defensive posture, you realize a few things right up front:

Businesses need a forensics partner on standby to help them when they get hacked. This is a security firm that steps in to help you figure out how much data has been stolen, eliminate the current threat, shore up your defenses, and help with some fundamental problems like employee security awareness training.

You need a communication plan to inform your customers when their data has been stolen. This can be the most difficult of your problems.

We will repeat this one again: it is crucial to train employees in security awareness. Employees are the number one weakness in security because they do not pay attention to what they click on. Hackers prey on human weakness to trick people into doing that. They downloads viruses, which go right around any defenses. Firewalls and such do not work when the person who downloads a virus is inside your company: those things work from the outside in.

You need to classify data as to its importance and assess what private company or customer data you are keeping where. For example, credit and debit card numbers and their pin should never be stored in the same database. Do not put financial data that you do not need into every system.

Whether you are a 100 year old family business or a growing new business it is necessary to adapt to the shifting technological landscape. All of those iPads, iPhones, and other fancy gadgets let your employees take their sales to your customer’s office. But those devices also provide criminals with new platforms from which to attack your data.

Do not panic. Self-employed people do not need a costly army of technical people to contain these risks. All the expertise they need is in the cloud, where they can rent it and do not have to hire it. In other words, it is not necessary to pay a company to come to your office to set up a secure ecommerce system so that you can sell your products from the web. All a small business needs to do is sign up with a cloud company like Stripe who provides that or use the ecommerce ability of hosting companies like Rackspace. There is less risk in using the cloud because there is nothing to install in your office or customer site. By definition every time you install software it exposes new security weaknesses. So avoid that. Use the cloud because it only requires a web browser. True, that is subject to attack too, but Google, Apple, and Android automatically patch their browsers against the latest security weakness.  So there is some lag time during which you are vulnerable: this is the time between when hackers find the weakness and the software companies fix it. That can be days, months, or years.

Cyber Misconceptions: Passwords

People often behave, as the saying goes, like sheep: they will follow each other right over the cliff because they do not question whether what they habitually do is logical. A good example of that is password maintenance. It is absolutely true that a longer password is better than a short one. But it is not true that one with lots of strange and hard to remember characters is better than simple words. The former is often even less secure.

Consider, for example, this example. Which password is hard for a hacker to crack

LL##$$llll121
Or
butter.knife

There are several problems with the first one. First, it is too hard for a person remember. So people are going to do what you would expect in that case and type that into a document. Then they copy and paste it when they need it. So it’s right there for a hacker to steal. The second password is sufficiently long, yet easy to remember. So there is no need to write that down. You can even make using regular words in passwords a company rule. So don’t listen to the consultants who insist that you adopt a complicated password scheme. The most important thing is password length as longer passwords take more computer time (sometimes years) for a hacker to attack. And require people to keep their business and personal passwords different. You would not want a hacker to use passwords they have stolen from, say, a dating website, to login to your inventory control system.

Two Factor Authentication: The only Safe Password is no Password

You should not use any system that requires only a password and nothing else. Instead you should only use systems that support two-factor authentication (TFA). TFA works by sending a code to your cell phone or email that you have to type into the screen in order to log in. A hacker can steal your password by installing a virus on your computer that records your keystrokes or just steals the user database. But they are not likely to have stolen your phone as well as your password.

Some common websites and applications that support TFA include Wells Fargo CEO Portal, Gmail, Outlook.com, Office 365, Dropbox, Google Apps, Facebook, E*Trade, SalesForce, and others. If your vendor does not support TFA then pick another vendor. Or if there is no other choice then you can put Okta in front of that.

The TFA code generated by the application must match the code that is generated with a cellphone app, like the Google Authenticator, shown below. The computer generates this code using the current time and a randomly-selected number that is unique to the user. So the time on your cellphone needs to be somewhat close to the correct time. But a few minutes error either way is OK.

So if you think through this a little bit, and do not behave as a sheep, you will realize that if you need a code to log in to an application then you do not a password at all. Yet, as we said, most apps still use them because people have a herd mentality. Either way, TFA will definitely cut off lots of hacking problems right at the source.

Now that you have adopted TFA, there is no risk in storing passwords for the many applications that you use in Google or Word documents online, as long as you are using TFA to protect those documents. So you can even copy LL##$$llll121 there if one stubborn application still requires that.

Credit Cards and Cyber Crime

Hackers offer stolen credit cards for sale on the internet for as little as a few dollars. These criminal rings have grown so large and sophisticated that they even guarantee their customers that the stolen card will support a certain number of charges before the fraud department or credit limit shuts it down.

The truth is that banks in the USA are not doing the best possible job of protecting customers against this kind of theft. They have thrown out common sense and instead adopted the desires of the marketing department who argue for simplicity over security. Banks and the leading credit card companies do not want to lose market sharing to emerging payment systems, like digital wallets, and online payment firms, like PayPal. So they do not always do what is most prudent, like requiring a pin. Some require only a signature, which, of course, can be faked.

Yet, there has been change. EMV cards have a small computer chip to encrypt the card data. Yet the problem with using an EMV or other advanced card is it does not work on your web site, as there is no one there to physically present the card to the POS (point of sale) terminal.

The best thing to do then is, as we said above, use a cloud vendor like PayPal or Swipe, who should have the best security. And for in-store transactions, work with your POS device vendor to make sure those are secure. Those devices are subject to hacking just like any other computer. That is where hackers stole more than 100 million credit and debit card numbers from Target.

Education is the Best Policy

In summation, the best approach to security remains educating yourself and your employees about the risks inherent in the internet and how to be safe. That means training new employees and retraining existing ones. Many websites offers training in this area. Then find a forensics security partner. They call themselves Managed Security Services, but you can sign up for less than their full offering. Also use TFA instead of passwords. Adopt cloud payment systems, and use the cloud for most other applications as well, instead of installing your software. And do not fall for any security firm or product who offers 100% protection. Go with someone who is honest about the risk. And if you are large enough to have people to do that, write a risk assessment for your business to help identify where you are most exposed and to develop a communication plan.

Comment

  1. RadEditor - HTML WYSIWYG Editor. MS Word-like content editing experience thanks to a rich set of formatting tools, dropdowns, dialogs, system modules and built-in spell-check.
    RadEditor's components - toolbar, content area, modes and modules
       
    Toolbar's wrapper 
     
    Content area wrapper
    RadEditor's bottom area: Design, Html and Preview modes, Statistics module and resize handle.
    It contains RadEditor's Modes/views (HTML, Design and Preview), Statistics and Resizer
    Editor Mode buttonsStatistics moduleEditor resizer
      
    RadEditor's Modules - special tools used to provide extra information such as Tag Inspector, Real Time HTML Viewer, Tag Properties and other.
       

Business Management Blog

Your Connection to Small Business Specialists

Read the Blog!