Blog

Home / Our Blogs / Blog 7/12
12
July

Many business owners ask themselves this question. As technology advances at break-neck speed, it seems the hackers always get there a few steps ahead of everyone else. After all, even the Pentagon gets hacked, right? So am I just deluding myself in thinking I can protect my business? Well... that depends.

First we need to dispel some myths. The world is not filled with geeky little evil hackers all concentrating their combined efforts into hacking Your business. Don't get me wrong, the world is filled with geeky little evil hackers, they're just not concentrating on your business alone and most of them aren't after your top secret business files. In fact 90% of most malware is distributed for the sole purpose of gaining control of computers to send out spam. Yep, that annoying junk that clutters up your inbox. Why? Because a small percentage of spam actually works and that makes them money. Enough money to make it worth continuing to develop new malware to keep sending out. Along with sending spam they can also use those same computers for DOS (Denial Of Service) attacks on companies they don't like or want to impress by flooding their servers with requests from millions of computers at the same time until they grind to a halt.

Okay, so beyond it being a bad idea to have anyone control your computer besides you, what else happens? Often they install key loggers that record your passwords to web sites, banks, or credit card info. They may also scan your computer for personal information so that they can impersonate you and get credit cards or accounts in your name (Identity Theft). This becomes especially bad news when it's business credit cards and accounts that they steal as they often have much higher limits.

The remaining 10% is done for the purpose of targeting and stealing specific information, usually your customer's credit information and card numbers. Having this happen can be a public relations nightmare, as you have undoubtedly seen on the news, as well as becoming very costly in terms of fines, lawsuits, and increased credit card fees. Making matters worse, most business insurance won't cover these losses if the business has been deemed negligent by not having proper safeguards in place. How likely is it that someone is actively probing your router right now? Probably 90%. About 10 years ago I was running a routine security inspection on a client's server before deploying an e-commerce solution. This was a brand new server hosted by one of the 10 largest hosting firms and was as delivered out of the box. While going through the logs I noticed that on just one port, the Administrator account was being brute force attacked at a rate of 35 attempts per second. I won't bore you with the math of how long that would take to guess the correct password, but it is not a matter of if, but when. There were of course many other attempts on different ports happening at the same time. Remember this was on a server that had just gone live. How hard is it to do? Most of these attempts are done by "Script Kiddies", not professional hackers. Script kiddies refer to high school age kids who instead of learning to steal cars playing Grand Theft Auto like the good kids, are sitting at their computers running any number of downloadable hacking scripts from the internet on random IP addresses hoping for a "hit" on a computer that can be compromised.

So what can you do to protect your business from these threats? A great first step is to make sure you meet current PCI (Payment Card Industry) standards. Many business owners and IT personnel regard PCI compliance as a major nuisance and just a cost of doing business. Most often they have either not been hacked or remain blissfully unaware of the fact that they have been compromised. Anyone who has been through the process of clean up after a breech has a far different attitude. If you have ever had to clean up a virus or malware attack on a personal computer which often results in a complete reloading of the machine and loss of information, you can well imagine the havoc this would play across a business network. The PCI SAQ (Self Assessment Questionnaire) is available as a free download and is a great place to start securing your network. Additionally, for a fee, you can have intrusion testing done by a number of qualified assessors that will pinpoint most of the weak points in your systems. Even if you don't take credit cards through your software, meeting PCI compliance is just smart business. A brief chat with your business attorney will confirm the merits of being able to argue a defendable position of haven taking the necessary steps to safeguard your customers' information.

A solid security approach does not consist of any single "silver bullet" to solve the problem. It takes a layered approach. Think of your house, it does you little good to have a 12 inch thick steel front door, rivaling that on the vault of your local bank, if the burglar comes in through your bathroom window, or your eight year old opens the back door for the "Pizza Dude." The main area's you need to focus on are the perimeter (how the internet connects to your network), the software you have, making sure updates and patches are applied, anti-virus protection, securing the inside of the network, and having good policies and procedures in place.

When it comes to firewalls to protect the perimeter, not all firewalls are created equal. Many of the internet devices sold with a designation of "Firewall" are little more than simple routers with the ability to do stateful packet inspection and help with DOS attacks. Of course all of this is useless unless you can control what rules govern traffic. All good firewalls operate on the same principle; all traffic and all ports are blocked unless a rule exists allowing that user, from a specific machine to contact a specific destination, through a specified port, at that specific time, for a specific purpose and using a specified protocol. If this all seems a bit heady, it is and should be managed by people trained in this field. After all there are 65,535 available ports for hackers to try on your computer so it makes sense to be very sure which ones you open and why. This starts to get more complex when you add remote access for employees or management working from home or on the road. But take heart, if you do not have the staff trained for this or an off-site IT professional, there are a number of well built firewalls that are remotely managed by security experts available for a nominal fee. As a side benefit they also include traffic logging that will allow you to track down issues as they arise. For example you may find that the reason you can't complete a bank transaction online is due to a few employees using up all the company bandwidth watching online videos or movies at their desk.

The software you run for your business is also a security risk. Not all software is built to the same standards when it comes to security. Back in the early 1990's when I went back to college, I had the great fortune to take a class with a brilliant instructor. At the time most of us were connecting to the internet via dial up modems and most of the general public thought that AOL was the internet. In one of our after class discussions he told me that although it was not apparent now, in the next 10 years the internet was going to become a major security issue and that identity theft was going to become common place. He urged me to focus a good deal of attention to learning all I could about the issue as it would become a large factor in the IT world in the coming years. He also said that we can only provide so much protection at the perimeter and that ultimately the problem needed to be addresses at the software level. In the decades that followed, we have seen those words come true. Most of the highly publicized malware that spread around the world, taking out large swaths of business and private computers, exploited security holes in software. Sadly a large percentage of these were known issues and patches had been developed and released, but most were never installed by IT staff. The large software vendors have gotten much better about releasing patches for security issues, but they still won't help if they aren't installed. Smaller software companies often do not have the resources to release timely patches in response to each new threat. Fortunately there are software packages that will make quick work of providing and installing patches for your company computers across the network, not only for the operating system software but for many other commonly installed programs as well.

Along with keeping your software patched, you also need a good anti-virus/malware program to protect your systems for the ever-growing number of viruses out there. These can be transmitted not just by e-mail, but also by simply visiting sites on the internet that have been compromised. Most business class software will not only catch the majority of these, but also keep them from spreading across the network if a machine does get infected. The better packages keep all machines updated, as well as providing a quarentine for any suspect files detected.

You will also need to look at how well you keep company data from leaving the building. 30% of data loss comes from inside jobs. You may do a great job of securing the firewall and keeping outside threats at bay, but do you lock down server drives, floppy drives, CD writers, and USB drives to keep someone from e-mailing sensitive data or simply walking out the door with your customer list? A large percentage of these issues can be avoided by having strong policies and procedures in place. Managers and IT personnel need to be aware of these policies, but also be aware of how to deal with questions when they arise. Your staff should feel comfortable asking a manager or IT staff if they get a suspected virus file in their e-mail or if they should open an attachment. Most likely it is not their fault as the people who do the most work in communications, ordering online, or research will also get the most amount of spam and malware sent to them. An environment should be fostered that they feel supported and part of the effort to secure and protect the business.

This is by no means a comprehensive, end all discussion of the subject, as it would consume volumes. But it should serve as a primer for some easy steps to get you headed in the right direction and give a general answer to the question. So while it may not be possible to make your business impenetrable from a concentrated attack by a foreign government, the good news is that there are plenty of great tools available to make yourself safe from all the threats that your business is most likely to face. It's up to you to put them to use.