The Democratic National Committee gets hacked, it’s probably a Russian operative, and everyone is shocked, right? The drama is unfolding before our eyes, with lots of speculation, and many people may think, “How could such a high profile organization at such a critical time let that happen?” Exactly…and are you next?
The key word there is “let.” We don’t know for sure how exactly the hackers got in initially, and as you can imagine the DNC isn’t exactly forthcoming with details. What does seem to be clear at this point, however, is that the hackers have been in the DNC system for a long time and the DNC was even made aware of that fact at several points during the “occupation” of their systems. If Russia or even the teenager across town has been in your system for months, how would you know? Are you putting your head in the sand until the FBI calls to tell you that you’ve been a target?
I was not shocked when I heard the DNC news. I was frustrated. It never should have happened to the DNC and it certainly doesn’t have to happen to you. Preventing a cyber-attack is no different than preventing the theft of your car or the burglary of your home. You’ll never be able to prevent 100 percent of what’s out there because with enough time the security of all systems goes to zero. But, like your home or car, there are simple steps you can take, such as using a steering wheel lock on your car or installing an alarm system in your home that will cause the overwhelming majority of bad guys to choose a different target.
I feel like I am jumping up and down trying to scream from the top of the trees what these simple things are, but not enough people are listening. I’m not talking about things you have to hire an IT expert for – I’m talking about checking a box in a settings screen somewhere. Of course, there are more complex and sophisticated things that can be done as well, especially for high-profile organizations.
But don’t think you’re out of the woods because of your smaller size. In fact, hackers view smaller companies like low-hanging fruit. They’re quicker to get in and easier targets.
Consider the stats. The average cost to a business for a cybersecurity attack is $9,000, according to a 2013 small business technology survey commissioned by the National Small Business Association. And an alarming 59 percent of small and medium-sized businesses do not have a contingency plan that outlines procedures for responding to and reporting data breach losses, according to staysafeonline.org. In addition, according to a study by IBM, 95 percent of all security incidents involve human error.
Think about that. An employee mistakenly clicks on a phishing link. A remote worker doesn’t want to bother with remembering another password and just uses 123456 instead. Or just as bad, a sneaky thief gets into your physical space posing as the copy or telephone repairman. Did you know that if an intruder gets access to your server, he or she can reset the password and lock you out in less than two minutes?
And, don’t get me started on ransomware – I’ve seen many cases where a company doesn’t get around to testing their backup until after all their data is encrypted. Their only choice is to pay the ransom, but on average that will only get your data unlocked roughly half the time.
So, what can you do today? First, change your passwords as often as you change the oil in your car. If you have some passwords that have been unchanged for years, go change them right now. Second, turn on “two factor authentication” for as many of your accounts as you can. That is a fancy technical term which just means that they’ll send you a text message or give you an app for your phone that generates a unique code that you must use to log in. The code usually expires after somewhere between one and five minutes. Turning this on is usually just a matter of checking a box in the “settings” page under security options. Finally, train all of your employees to be “security smart” – create strong passwords and learn not to click on fake emails. There are lots of commercial sites that will sell you training programs and some that will even “test” your employees by simulating a hack to see if they take the bait.
We’re not done hearing from WikiLeaks, and I hope by the time the next chapter of this story starts, you’ll be well on your way to protecting your firm or your client’s valuable data. You can do it, and in today’s world, you must do it.
Michael Cocanower, founder and president of Phoenix-based itSynergy, conducts free 15-minute “Hacking the Human” webinars on the second Thursday of every month at 11:30 a.m. Register at http://www.itsynergy.com/webinar.