Think your small business is immune from cyber attacks from abroad? Think again.
The New York Times and Wall Street Journal recently acknowledged they had fallen victim to sophisticated cyber attacks by the Chinese government. The incidents supported security analyst predictions and F.B.I. concerns that state-sponsored espionage and cyber attacks will continue to grow in 2013.
Misguided notions of safety have led many small-business owners to skip security measures entirely, which is precisely what primes them as a target. Two things increase the likelihood that a small business will be the target of an international hacking threat: what your company does, and whom your company works with.
Certain industries are at higher risk for a state-sponsored attack, though everyone should remain vigilant, says Richard Bejtlich, chief security officer at New York City-based Mandiant, the computer security experts hired by the New York Times to find and expel the newspaper’s hackers. The most vulnerable industries include those the Chinese compete with directly: telecommunications, aerospace, advanced manufacturing, finance, energy and any companies indirectly connected to those industries.
Also at higher risk are some law firms, non-governmental organizations, think tanks and news media that focus on hot-button Chinese foreign policy issues, such as human rights or the South China Sea.
Often, small businesses with weak security systems are targeted in attacks aimed at larger corporations. Take China’s 2009 cyber-espionage coup, when Chinese hackers stole the blueprints for the U.S. joint strike fighter planes, the F-35 and F-22. Lockheed Martin’s security system was nearly impenetrable, but by attacking several of the company’s smaller-scale contractors instead, the Chinese were able to springboard into Lockheed’s systems, nabbing research and intellectual property worth more than a trillion dollars.
“The small business might not be the target, but rather the portal,” says Bejtlich, adding, “People usually think ‘OK, am I the sort of company that someone else would want to attack?’ But a new way to think about it is, ‘Do I have relationships with a company that is likely to get attacked?'”
Despite the threat of nation-state sponsored attacks, small businesses are still far more likely to encounter an opportunistic cyber-criminal looking to siphon data or funds. When it comes to such attacks, “anyone who is connected to the internet is at risk,” says Max Kelly, former chief security officer at Facebook and the current CEO of Leesburg, Va.-based Praxis Security, which provides computer security services.
Here are five suggestions for protecting your company from costly cyber-attacks:
1. Use encryption.
Encrypting data can help ensure that your company’s sensitive information isn’t exposed when an employee inevitably loses a company computer or cell phone. Encryption software scrambles the data so that it is unreadable to those who don’t provide the correct password. For Windows, BitLocker is a full-disk encrypting feature that comes standard with the operating system, while FileVault is the Mac equivalent.
2. Educate employees about phishing scams.
One of the most common ways hackers attempt to access your network is by fooling you through a “phishing” email, Bejtlich says. These are email messages that hackers tailor to you or your business to entice you to click on a link in order to put malicious code onto your computer. Educating your employees about the threats of opening emails or clicking on suspicious links can help prevent attacks, he says.
Employees should also beware of downloading apps on mobile devices they use for business. Criminals are increasingly hiding malware inside apps — just as they hide them in phishing links — to try to get people to download malware. Mobile security companies like Appthority can help inform your company about which apps contain which kinds of threats, as well as manage your mobile security policies. Appthority charges $1.50 a month per user.
3. Know your network.
Business owners need to be able to know what’s happening inside their network — what’s going in and what’s coming out, Kelly says. If you notice strange activity, you might be able to take preventive action before the attacker manages to compromise your data. The only truly effective way to monitor your networks is to hire a full-time security expert who is trained for that purpose, Kelly says.
If that kind of hire isn’t in your startup budget, Security Onion is open-source software that can be installed on an extra server to monitor what goes in and out of a company’s network. You may not know what the log means, but if you suspect an attack because your normal operations aren’t functioning properly, or you notice that funds are disappearing, you can help facilitate an expert’s job by providing them with the data. Mandiant also has created a free, open-source tool for threat detection called OpenIOC. Though, like Security Onion, it’s only effective in preventing intrusions if someone monitors the data.
4. Keep bank accounts secure.
Use multifactor authentication to log into your bank’s website — if your bank supports it. This means your account would require a virtual token or even a phone confirmation in addition to a password, making it one step harder for a criminal to impersonate you.
The FDIC also recommends using a separate computer for online banking. That can limit the chances that you download malware from email phishing links or other day-to-day web activity onto the computer that records your bank password’s keystrokes.
5. Protect your devices while traveling.
In high-risk countries like China, Russia or Iran, it isn’t uncommon for computers to be physically searched while you are away from your hotel room. Keep your computing devices on you at all times. If you can afford it, Kelly says, designate a separate computer just for traveling. Don’t store sensitive information on that computer and wipe it clean when you return home before connecting it to your networks.
Also, avoid bringing your smartphone to risky countries. Telecommunications providers in several high-threat countries often push malicious surveillance software on your phone so they can monitor your calls without your knowing. Instead, consider buying an inexpensive, in-country phone and discarding it when you leave.