By far the major topic of discussion these days is Ebola, but move beyond that headline and you will quickly find daily stories about large corporate and government entities being hacked and all of our personal information being collected for who knows what. These are huge institutions…the backbones of our country in many cases. We are talking about Chase Bank, Home Depot, Dropbox. Our security agencies and their monitors are even hacking each other! Many small and medium sized businesses feel a sense of helplessness or indifference when it comes to this topic.
Perpetuated by Inaction
When the issue comes up, one response we hear from clients is that there isn’t much that can be done if a huge company or government agency with massive resources can’t even secure themselves. Another response is that these smaller companies feel safe in relative obscurity and often state “why would they bother with us.” Still others just keep their head down and hope that the storm will pass them by. Our response to this is that you should do what you can and you can’t assume they won’t find the smaller companies. It is true that hackers would love to go elephant hunting for a large corporation or government entity, but many of the hack attempts out there are being done by software crawling the internet indiscriminately looking for a weakness it can exploit. It is possible that a foreign hacker is looking for a local server to setup shop and take on a larger entity from there.
The financial consequences of a security breach are significant and, for smaller companies like many of our clients who may have their site on a shared server, if one site becomes compromised, it can then affect the entire community of websites on that shared server so the consequences of inaction just perpetuate the problem. The damage to your own company can be significant alone. In April 2014, IBM published an article (better yet, do a search for cyber security statistics 2014 to find the article) stating that in 2013 there were 1.5 million monitored cyber-attacks in the United States alone. They evaluated the breach against six categories of consequences and came up with these figures:
29% – Brand Damage and Reputation
21% – Lost Productivity
19% – Lost Revenue
12% – Forensics
10% – Technical Support
8% – Compliance Regulatory
We have recently had a number of clients reporting their office networks have been compromised and we have had two older client websites affected recently. Both clients had not taken advantage of the “Security, Backups and Updates” package that we offer as an ongoing service. One of the issues incurred over 20 hours of labor to fix the problem, a far more expensive option.
Web Security Solutions
So, what can be done? At a basic level, besides the obvious options for computer security software, we not only recommend, but in the near future, will insist on a number of things:
- Start with passwords – Use a password generator or develop a password strategy that does not include dictionary words or names. Make it a long one and include special characters, numbers, upper and lowercase letters. Don’t use the same password for everything and for certain accounts, it may make sense to change the password several times a year. The down side to this is time, hassle and figuring out how to safely document the passwords such that they won’t be compromised in some other way. For website specific concerns, do this for your registrar, hosting company, FTP accounts, all email accounts, and your login based content management systems (CMS). Also remember cloud storage services like One Drive, Dropbox, High Tail and any remote access software to desktop computers or company network data. As an added note, please do not email passwords around.
- Establish a policy to never click anything in an email – It used to be pretty easy to identify a spammy, poorly written email from a spoofed email address stating they were your bank and needed a password, or for you to send money to another country. That is not the case anymore. Hackers often form elaborate email schemes with clean layouts, logos and such. More sophisticated hackers likely have access to your personal information because of all the major compromises that have occurred, so an email can contain personal information that makes it even more believable. An email might even come from a friend whose email has been compromised. We recently learned of a scheme where you may receive a PDF file, that, when opened, informs you that you need to download an Adobe Acrobat add-on to view the PDF properly. If you agree, a script runs that encrypts every document on your computer and provides you with instructions on how to make a payment to have them decrypt the files. This “hijack” of your data could travel through every shared drive in your company and bring it to a screeching halt. The hijacker’s ransom for this one incident was $500 and doubled every several days, so you are motivated to act quickly to resolve the matter.
- Secure, backup and update your website – Most websites operate on a content management system (CMS) these days which adds a layer of vulnerability. Like your desktop and mobile phone, a CMS system, and its add-on/app/plugin providers offers regular updates both for added features and for securing weak points that have been identified. Sometimes the add-ons themselves have a malicious intent, so it is best to use ones that have had extensive reviews and are still being maintained. It is often a cat-and-mouse game for the software providers to find the weakness before the hackers do, so when an update comes out, act on it. Also, entire servers can be affected and backups are usually at hand if a restore is needed, but sometimes a compromise can sit dormant for long enough that it becomes part of the backed up files, so a restore just puts them right back where they were. Hackers often setup “back doors” as well, so if a compromise is found and removed, the hacker still has access through another back door.
Hacker events are on the rise (12% increase each year), harder to identify and causing more damage than ever before. Many companies try to ignore the issue until it is too late and the damage is done to them as well as to other sites sharing the server. Company employees need to be educated and aware. Though no website has proven to be 100% secure, there are reasonable actions that can be done to mitigate the potential and better deal with a situation when it happens.
***** About Nelson & Co. *****
Nelson & Co. is a Sugar Land, Texas based graphic design, web design and web marketing firm serving the Greater Houston area with turn-key print and web design projects coupled with smart web marketing practices since 2002 and is proud to be listed in the Houston Business Journal’s Book of Lists as a Top 25 Graphic Design Firm serving corporate, mid-sized and start-up businesses alike with powerful branding and marketing tools. For more information on Nelson & Co. visit www.nelsonandco.net or contact us at (832) 532-7220.