Online Cyber Security Tips for Small Businesses

There’s been a lot of buzz in the news centered around Cyber Security. ABC News reported yesterday that al Qaeda has called for an “electronic jihad” against the United States. FBI directors are retiring and saying the county is losing the cyber war. Legislators are trying to help the agencies charged with protecting us through legislation (CISPA). People are squawking about it. The media is sensationalizing it. Individuals and small business owners are confused by it or in denial of it and are therefore ignoring it. This is where the danger lies.

The threat is real, persistent, targeted, and professional. Threats to your business and personal security are not originating from bored “basement dwellers” looking to see how far they can go for the fun and challenge of it. Cyber criminals are organized, knowledgeable business professionals who are well-funded from the fraud they’ve committed.

According to Verizon’s 2011 Data Breech Investigations Report:

1. Large-scale breaches dropped dramatically while small attacks increased. The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favor highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers.
2. Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches.
3. Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for most of these card-skimming schemes.
4. Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and keylogger functionalities.
5. Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.

As a case-study, I submit a new client who came to us for web work. After noticing odd behaviors in their email, we detected that they were under an advanced persistent attack. The attack involved using a compromised Yahoo email account and publicly available information in order to impersonate a vendor. The attackers then attempted to trick the client into wiring funds to the hacker in another country.

This was professional, organized crime; targeted, persistent, and a very real attack. This could have happened to anyone and according to our contacts at the FBI, this type of attack is becoming more and more common.

As small business owners, or even individuals, you cannot afford the luxury of thinking that you’re too small to be noticed. Fortunately, there are a few things you can do to protect yourself.

1. If you are a business, do not rely on yahoo mail, gmail, MSN mail, hotmail, or any other free email service for your business email accounts. Those systems are vulnerable to compromise on a large scale, and therefore your confidential email correspondence is also vulnerable. With most domain registrars, you get 5 or more email accounts free with your registration. Use them. And don’t just have them forwarded to your gmail account either.
2. If you are an individual or a business, do not do business, especially financial transactions, with companies who don’t have an email address on their own domain name. Cyber criminals have automated methods of setting up thousands of bogus email addresses on systems that offer free email accounts. It costs them nothing. While a domain name registration is inexpensive to a business or individual, purchasing thousands at a time is cost prohibitive to a criminal racket – and its trackable. Use the source of the email address as your first line of defense in identifying the bad guys. Don’t rely on the “from name” that most email accounts offer as matched up with the email address. Periodically look at the actual email address of the person you’re corresponding with to make sure the address matched with the name is the right one.
3. Try not to mix business email with personal. It’s imperative that you move your business email away from your personal, that way if one is compromised, the other will remain safe.
4. Use strong passwords and change them frequently. I know you’ve heard this a thousand times, but if you look at bullet point #5 from the Verizon report, it’s still a rampant problem. This is the most basic of defenses, but it is extremely important. More importantly, use different passwords for each account and don’t store them tucked under your keyboard. Check out Password Safe (http://passwordsafe.sourceforge.net/) for a more secure way of storing your passwords.
5. Don’t open unsolicited attachments, even if they’re from someone you know. Most of you have learned not to click on .exe files. Verify with the sender using another medium that they were the ones who sent it to you if it is a .doc/x, .ppt, or a .pdf.
6. As a corollary to number 4, don’t click on links embedded into emails if the source is questionable. I may be more paranoid than most, but I hover over every link I intend to click and look at the actual destination before I click it. In most cases, I don’t even click it then. Rather, I manually navigate to the site and look that way.
7. Do not click on any link that has been run through a link shortening service (eg. bit.ly or owl.ly). The reason is that you can’t see where your ultimate destination is. Malware has been spread quickly and easily through Twitter because of these link shortening services. Don’t click. If you really want to see the article, search for it or ask the original poster for the real, direct link. You need to know where you’re going and if it’s a trustworthy site.
8. Don’t use link shortening services like bit.ly or owl.ly. If your link is legitimate, let your friends and clients know that by providing the whole thing. WordPress, unfortunately, messed up its “get shortlink” feature when it added in JetPack and it uses wp.com instead of your own domain name. Find a way to use your own domain name instead, even if it means a longer link. There are plug-ins that will shorten and manage links for you in a more hygienic way.
9. If it’s valuable, treat it as valuable. Many business leaders are trained to monetize potential losses and if the cost of protecting it is more than the value of the data being protected, they choose to write it off as a loss should it be stolen – in many cases, that data was your credit card or bank account information. So far, no one has sued and received damages for a corporation’s improperly handling their personal data. But who can place a dollar figure on your brand’s reputation? Especially if you’re an individual or a small business. Your reputation must remain above question because you don’t have millions of dollars, a legal staff, and a marketing office to repair and deal with any damage to your image.
10. Monitor your web traffic as well as where your email is being accessed from. With very few exceptions, you can look at the IP addresses used to access your account. Most email services offer up the region of origin for those addresses. If you discover an IP address in China has accessed your account and you haven’t been in China, change your password immediately.
11. Keep your personal data off the web. It’s impossible to be completely confidential with all of your data and still be in business. If people can’t contact you, you can’t do business. Likewise, if people can’t research you and verify your legitimacy, you’re not going to be doing much business either. However, I recommend that you sit down and outline just how much data is necessary to share, decide what pieces you are going to put on the web, and then keep the rest safely off the Internet. In the case study above, the vendor was impersonated from the data in their email signature alone: name, company name, email, website, phone number. And it wasn’t the vendor’s systems that were compromised in order for them to do it. That leads us to tip #12.
12. Consider email encryption and signing. Installing public key encryption software on your email client will allow you to “certify” every email you send out as having been sent by you. Look at openpgp.org for a free public key encryption solution.

Would it help motivate you if I said it was your patriotic duty to practice safe Internet? If you’re not part of the solution, you’re part of the problem. Hijacked computers are used as “bot nets” by these criminal organizations in order to get into other people’s systems. How would it feel if you found out your computer was used to defraud another business? Vigilance at the individual level is required to protect this country’s economic interests.

I’m available to business meeting groups or other clubs and organizations as a speaker on this issue. This is important for all of us, no matter how large or small.