By David Willson, ,
Published May 07, 2015
“White House sources partly confirmed an alarming report that U.S. government computers -- reportedly including systems used by the military for nuclear commands -- were breached by Chinese hackers. This was a spear phishing attack ….”
That shocking news was reported Monday. And it should make every American think hard about their own cyber security.
Whether you are a business owner or individual you should be very concerned about cyber security. If the White House can get hacked, so can you.
How valuable is your business, your license, your livelihood, your personal information?
If you don’t think data breach or cyber security is a big deal or that it won’t happen to you, and you feel lucky, then ignore this article. On the other hand, if you have even the slightest concern over the security of your information, then read on and learn how to protect yourself and/or your company.
How secure is your information? First, let’s dispel some myths. Anti-virus software and a password do not keep information secure! As reported in the article mentioned above, the attack on the White House was a phishing attack. If you click on that link or open that attachment then the quality of your password may not matter and anti-virus is likely 0% effective against a zero-day attack. Passwords and anti-virus are necessary, but it is like locking 20-50% of the windows in your house and hoping the burglars do not find the other unlocked windows. There are lots of holes. Anti-virus is only about 20% effective.
What about passwords? If you use a single word a hacker can guess it in about three minutes or less with a dictionary attack! Once the attacker has one password how many accounts does he have access to, or do you use different passwords for every account? If you click a link in an email or on a website, there is a high probability it could be a virus that silently downloads in the background. Then it is game over and no password in the world will protect you! If that virus happens to be a “keylogger” virus, then the hacker is now collecting every single keystroke of your computer, to include passwords, account numbers, social security numbers, everything!
If you believe you will never get hacked or suffer a data breach, you are in good company with many other individuals and business-owners who have been convinced they are secure.
Let me ask you this: how would you know if you were hacked or did suffer a breach? Does some bell go off on your computer announcing, “You have been hacked?” What you might notice is that your computer or mobile device becomes sluggish, which could be a number of issues, or your anti-virus software tells you it has detected a virus. So then what; what does that mean? You take the computer to a computer doctor and have it cleaned and you are back in business, right? At this point do you know whether anything was stolen? Probably not; and you will likely assume there are or will be no further issues?
Here’s the reality. In most cases you will find out you have been breached from a third party, like a friend, customer, client, or patient. If you are a business owner it is usually a very unhappy customer, client, or patient possibly looking to sue. It might be a friend who received a suspicious email from you and is checking to see if you sent it.
So, what can you do to protect yourself, your business: choose a good IT company, lower risk and reduce or eliminate the liability associated with a breach, and, be cyber astute:
1. In choosing a good IT company, check their references; ask to speak to current customers; the company should be comfortable supporting traditional networks as well as applications in the cloud; and, it's imperative they be very familiar with various cyber security laws/standards such as HIPAA and PCI. Are they going to monitor your network for threats and intrusions?
2. Risk and liability management. Once you have your network set up and security implemented, like anti-virus, passwords, changing all default/factory passwords, implement three critical components:
a). Have a security assessment done, which includes: Review of current security and some recommendations;
b) Review and/or drafting of current policies and recommendations; and,
c.) Cyber security awareness training for all employees (a requirement under the Security Rule).
These steps will lower the risk of a cyber-incident/data breach, and reduce or eliminate your liability if one does occur. Why, because as a business owner you can confidently claim you have implemented security, can show it in a policy, trained your employees, and basically have done the best you can.
3. Cyber Awareness.
- Using your smartphone for banking can be risky. The security is just not up to par yet.
- When banking online, close all other windows and ensure the bank window URL comes up as Https.
- If using public WiFi, like hotel, coffee shop, airport, library, use a proxy that allows you to encrypt all your data so hackers cannot steal it.
- If the data you collect, process and store is sensitive, encrypt it.
- If emailing sensitive data, like financial information, use secure or encrypted email.
- Always log out of any account, especially banks, social media, etc. Simply closing the window leaves you logged in and hackers can potentially get in.
- Do NOT click on links in emails. Many are fake and will take you a fake site, like a fake Facebook site where hackers will steal you data.
- Do NOT click on the “unsubscribe” link in emails. In many cases the email may be fake and by clicking unsubscribe you are legitimizing your email and will be put on a spam list.
- Password protect all mobile devices.