Tag Archive: security_systems

Hack-Proofing Your Company How Small Businesses can Better Protect Customer Data

Hack-Proofing Your Company How Small Businesses can Better Protect Customer DataHack-Proofing Your Company: How Small Businesses can Better Protect Customer Data by Susan Caminiti.

Big corporations have long understood the need to protect against cyber criminals out to wreak havoc on their computer systems in order to steal money or customer data—or both.

Yet technology experts say small businesses are just as vulnerable, and don’t even know it. “The same small business owner who will spend money putting in an alarm system, a fence around the building, and locks on every door, is the same person who doesn’t see the need to take security precautions with his IT system,” says Brian Reich, founder and president of The Reich Group, a security consulting firm based in northern New Jersey. “The three prongs of security are physical, personnel, and IT security. Unfortunately, a lot of small businesses forget about that last piece because they operate under the assumption that since they’re small, they can’t get hacked.” Hack-Proofing Your Company: How Small Businesses can Better Protect Customer Data

No business is too small to be a target Hack-Proofing Your Company: How Small Businesses can Better Protect Customer Data

Nothing could be further from the truth. That’s because small firms typically have weaker security profiles that enable hackers—or even disgruntled ex-employees—to easily penetrate their systems to steal proprietary information, explains Ed Skoudis, an instructor with the SANS Institute, a leading information security training and certification school based in Bethesda, Maryland. And with few (if any) IT professionals on staff at small firms to monitor these breaches, the issue often gets pushed aside until an attack actually happens.

And it’s occurring more frequently at these smaller firms. According to Verizon Communications Inc. and the U.S. Secret Service, of the 761 cyber attacks that were reported in 2010, 482 of them—or 63 percent—were at companies with 100 or fewer employees. With thinner financial resources, the cost of a digital break-in can even put a small company out of business. Speaking at the recent International Conference on Cyber Security in New York City, Shawn Henry, the FBI’s top cyber investigator, cited a case where a small business had to close up shop after hackers were able to steal $5 million from its accounts.

Passively scan for security holes Hack-Proofing Your Company: How Small Businesses can Better Protect Customer Data

So how does a small business figure out just how vulnerable its online data is? Skoudis and others recommend that they start with a vulnerability scan. Akin to a routine physical, this test looks at your entire computer network every quarter or so to determine weaknesses—or vulnerabilities—that could allow an attacker to get in and steal sensitive information, such as customer lists and credit card information.

Qualys, a provider of on-demand IT security risk and compliance management solutions, based in Redwood Shores, California, offers a free security assessment that small businesses can try, says Skoudis. It includes a scan that detects security vulnerabilities in your systems that face the Internet, including your web server. For a fee, the company can conduct scans that look across your entire network and detect internal vulnerabilities, such as malware infections and threats. The cost is based on the number of IP addresses being scanned and the frequency of those scans.

Actively test your defenses Hack-Proofing Your Company How Small Businesses can Better Protect Customer Data

Going one step further, Skoudis recommends a penetration test—or pen test, as it’s often called. It begins with a vulnerability scan, but then attempts to exploit a company’s IT weaknesses to determine how easily, and to what extent, a hacker can bring a company to its knees. A penetration test can cost anywhere from a few thousand dollars to tens of thousands of dollars depending on the size of the company and how many computers need to be scanned. Hack-Proofing Your Company: How Small Businesses can Better Protect Customer Data

“We’ve done pen tests where we were able to get a company’s customer records and all their credit card information,” Skoudis recalls. “When a company gets breached like this, it can destroy its reputation and drain its bank accounts overnight.” And any company that needs to be compliant with Sarbanes-Oxley or HIPAA rules, adds Reich, is even more vulnerable should a security breach occur.

Of course, the difference between a penetration tester and a hacker is that the former has permission to break into a computer network and steal information and the latter does not, according to SANS.

Kevin Mitnick is skilled at both roles. He was once one of the world’s most notorious hackers and today is a best-selling author on information security and president of his own firm, Mitnick Security Consulting. He often consults with small businesses and sees first-hand what happens when cyber security issues are ignored. Hack-Proofing Your Company How Small Businesses can Better Protect Customer Data

For example, he’s currently working with a small e-commerce company based in New Jersey that routinely takes and stores credit card information from its customers. The problem, explains, Mitnick, is that the company stored this financial information on its servers unencrypted, or in other words, as plain text. A hacker who was able to get access to the data had to do little more than copy the numbers to begin fraudulently using them. “The credit card company was the one who figured out the stolen numbers were coming from this business,” Mitnick says. “The owner of the company had no idea this was happening and now they’ve hired me to do a security assessment of their site.”

The cost of doing nothing Hack-Proofing Your Company: How Small Businesses can Better Protect Customer Data

Mitnick, as well as others, point out that companies—big and small—who accept credit cards are required to be compliant with PCI Security Standards, the governing body that establishes the security measures merchants must have in place in order to securely accept and store credit card data. Routine vulnerability testing is one of requirements in order to be PCI compliant, points out Skoudis, and yet companies will regularly overlook or ignore this step because they think they’re too small to be hacked or just don’t make the time. According to PCI, should customer credit card data be stolen, a small business can be liable for fines and penalties. According to FocusOnPCI.com, a site dedicated to explaining the details of PCI compliance, each cardholder data breach can cost a small business between $50 and $90. Multiply that by hundreds or even thousands of customers and the cost escalates quickly. Further, non-compliance can also result in a small business being prohibited from accepting credit cards in the future.

No amount of IT security and vigilance can completely eliminate the risk of an IT breach, say the experts. “There isn’t an agency, organization, or company I know of that hasn’t be hacked to some degree,” says Edward J. Appel, a former FBI agent for 28 years and now a computer security consultant. The goal, they say, is to mitigate that risk by making it harder for networks to be compromised in the first place. Says Appel: “If you say you can’t afford it or don’t need to periodically see where your company might be vulnerable, you’ve already ceded control to the bad guys.”

This is Hack-Proofing Your Company: How Small Businesses can Better Protect Customer Data.

Cyber Crime: Nine Ways to Protect Your Company

SQL Injection Attacks. Scareware. Password Crackers. BOTs. They sound like alien attacks from an episode of Star Trek – not real threats to your small business.

But, the threat is real. Cyber crime has reached new heights, and the criminals do not care if you’re a Fortune 500 company or a mom-and-pop shop. In fact, as hackers look for the easiest way into a network, small businesses and their less sophisticated security measures are prime targets. A 2010 Panda Security survey of 10,000 small and midsize businesses worldwide showed that 36 percent of respondents did not use any security tools besides free anti-virus protection. And a study from Symantec found that 73 percent of respondents had been victims of a cyber attack during the last year.

A popular belief is that cyber crime is motivated by a desire to disrupt business and gain notoriety for advanced hacking skills. The more prevalent motivator, however, is money. Even if no money or records are stolen, a security breach can have financial repercussions in terms of damage to a company’s reputation and ability to partner with firms that have more sophisticated security in place. More and more, companies are requiring that their vendors and partners have digital defenses in place. There are also laws that require companies to notify customers if their personal information has been compromised and even offer them free credit protection and monitoring in some cases.

Tips for Protecting Your Business

Your business can be threatened in multiple ways: the network, your applications and company data. Many companies invest in security tools for one level, but neglect the rest. The key is to keep criminals from gaining entry in the first place, and to prevent them from causing deep levels of damage if they do. Here are some precautions you can take:

Although most small businesses do not have them, firewalls are now considered essential, as they control who has access to your network.

Recognize the value of a strong password. The best ones use a combination of upper- and lower-case letters, numbers and symbols, are eight- to 12 characters long, and do not include any personal references.

Know your application software vendors. If your vendors offer regular updates and patches, make sure you use them.

Cyber Crime 3.pngFurther protection is available through web application firewalls and web application vulnerability scanning, which look for security holes without requiring you to shut down your business.

If you have a limited budget, focus on email filtering and web filtering technology, as these are two of a small business’ most vulnerable areas.

Investigate newer technologies like data-leakage protection software, which will alert you if sensitive data is going out of your network.

Consider encryption software for your laptop and smart phone. (Remember, they are computers too).

Remember to educate your staff. You can buy the most sophisticated password encryption software, but it won’t help you if a staff member writes the password on a Post-it.

Finally, as ubiquitous and useful as social networking sites are, small businesses should be aware that they come with added security risks. A 2010 study showed that the number of companies attacked through social media networks jumped 70 percent between 2008 and 2009, and that social networks spread malware at 10 times the rate of email networks.

None of this is meant to spread panic. Computers, software, social media, mobile technologies and websites are integral parts of your small business. And, you will most likely see an increase in automated communication between systems in the years to come. If you include security tools in your arsenal, you will be able to keep cyber crime at bay while focusing on what’s really important: Running your business. It’s insurance you can no longer afford to do without. Have you ever encountered a cyber attack?