Big companies like Target, Yahoo and Equifax are typically the unhappy recipients of big news coverage following data disasters. This is not surprising, given the size of the events. At Target, credit and debit card information or contact information for approximately 40 million people was purloined, leading to the resignations of both the CEO and CIO.
Three billion user accounts were affected during the Yahoo event, including the names, telephone numbers, e-mail addresses, birth dates and telephone numbers of 500 million users.
During the most recent big data disaster, bad actors stole social security numbers, birth dates, addresses, and in some cases drivers’ license numbers of 145.5 million consumers from Equifax.
While these disastrous events can be likened to floods, the persistent drip at small- to medium-sized businesses can be just as damaging for targeted companies. While cyber attacks on big companies can generate vast quantities of valuable data for cyber criminals, these companies are typically well defended. Although small- to medium-sized businesses are less valuable targets for these criminals, their IT systems are also easier to penetrate.
Here are a few guidelines small- to medium-sized companies can follow regarding cyber defense.
Cyber Security starts at home — According to a report published by IBM, company insiders are responsible for 60% of cyber attacks on these companies. IBM has identified insider status as anyone who has received credentials granting him or her physical or remote access to a company's digital assets.
As a result, companies should award credentials to access sensitive digital assets with careful thought and consideration. If an employee or contractor is either fired from or chooses to leave a firm, future access to these assets should be quickly blocked.
Effective cyber security begins with careful physical security. An employee or contractor who copies digital assets onto a portable drive and then walks out the door can do as much damage as a hacker who infiltrates your IT system from across the globe.
Train those with access to your digital assets to avoid the perils of ransomware — Bad actors behind ransomware cannot succeed in restricting access to a company's own computer system without the unknowing participation of their victims.
The following rules of thumb for employees and contractors can help to frustrate efforts to hold your company hostage:
Train your personnel to recognize the difference between bogus e-mails, advertisements and legitimate efforts.
Stay up to date on all IT protection systems, including anti-virus software.
Do not click on any unknown e-mails or attachments.
Do not store client data on unsecured devices.
Never connect unprotected personal devices to company IT systems. This includes flash drives.
Vet all third-party IT vendors scrupulously.
Never use free wi-fi anywhere without first logging into a virtual private network - especially if you're accessing sensitive, proprietary or password-protected data. (Photo: Shutterstock)
Wi-Fi hotspots are a tricky proposition and should be approached with caution — Next time one of your employees decides to access your company IT system via a Wi-Fi hotspot at a Starbucks, Panera, the train station, a hotel or other public space, ask him or her to remember 95% of Wi-Fi traffic is unencrypted. If the hacker sitting at the next table or across the lobby seizes the opportunity to penetrate your corporate server, all digital assets will become vulnerable. Following are a few rules of thumb to manage this risk:
Nothing is for nothing, including any network labeled “Free Wi-Fi.” Simply don't go there.
Before logging in, set all websites to “HTTP secure.”
Use a VPN before logging into a company network.
Do not access bank accounts, brokerage accounts, credit card accounts and subscription services via a Wi-Fi hotspot. In fact, anytime a user name and password are required to gain access to a website, count to ten and find another useful activity.
Accept your vulnerability — It has been said it isn't a matter of whether or not a cyber intruder will victimize a company, but when. To best defend against such an event, companies are advised to prepare in advance. Following are a few guidelines:
It should go without saying, transfer the risk to cyber insurance coverage since your company will be attacked by a cyber intruder who steals your own company's and clients’ sensitive information.
Rigorously guard against cyber intrusions, while documenting the actions you have taken. This documentation will be enormously useful if a client or vendor sues you following a cyber event.
Prepare a game plan for the potential consequences if a cyber intruder hijacks your IT system — inability to pay bills, access account information, collect payments, withdraw and add funds, run payroll and perform the many other bookkeeping and financial activities you presently conduct online – before a cyber event occurs.
With 62% of cyber attacks impacting small- to medium-sized companies, hackers know they are vulnerable. Even worse, only 40% of small companies suffering a cyber attack are still in business six months later, making training and preparation even more critical to mitigating the risks and helping a company recover as quickly as possible.
Bob Dietzel (email@example.com) is co-founder and Principal of KMRD Partners, Inc., a nationally recognized risk and human capital management consulting and insurance brokerage firm located in the Philadelphia region serving clients worldwide. KMRD works to protect clients’ assets by reducing their cost of risk.