Hacking attacks on big businesses are becoming more and more common. The Associated Press loses control of its Twitter account. Living Social watches a cyber-attack compromise the data of more than 50 million customers. Burger King gets hacked and starts tweeting about how it got bought by McDonald's.
Given all the time and energy hackers spend assailing the cyber-walls of high-profile corporations, there's no time left to pick on small businesses, right?
Wrong. Small businesses get hacked all the time.
According to the most recent Internet Security Threat Report by Symantec, 31% of all targeted cybercrime in 2012 was directed at small businesses with fewer than 250 employees.
Employees at small shops often tackle a more diverse array of tasks, and in many cases, a formal IT department might not be in place to protect small businesses against attacks.
So what's a small business owner to do? The following tips list, filled with advice from experts who fight hackers every day, can help.
1. Watch Out For Phishers: Phishers harvest user names, passwords, and other private information by sending emails purporting to be from legitimate businesses or financial contacts, and it's still an all-too-common technique, according to the experts at CloudFlare. Owners and employees need to be cautious of any suspicious emails and phone calls they receive, and they should never use the same password on multiple accounts.
2. Beware Vampire Data: Backup tapes and archives that go back decades; emails that should be destroyed after 90 days but linger indefinitely on employees' desktops; files copied to portable or cloud storage without the organization's consent or knowledge — this is what the experts at Kroll Advisory Solutions refer to as vampire data. Once it's discovered by hackers, it can come back to bite small businesses. A few steps to take:
(A) Create a data inventory, classify it by confidentiality or sensitivity level, and handle it accordingly.
(B) Only allow users to access the data they need.
(C) Regularly provide employees with data-handling training.
3. Enable Two-Factor Authentication: According to CloudFlare, turning on two-factor login authentication is the absolute minimum small businesses should be doing to protect themselves. It may not make your accounts invincible, but it adds an extra layer of protection.
4. DDoS Attacks: Small businesses are vulnerable to spambots and malicious denial-of-service attacks, just like high-profile companies. Best prevention practices include:
(A) Implementing and rigorously updating antivirus software.
(B) Installing gateway servers.
(C) Using firewalls.
These measures will stymie many DDoS efforts that rely on TCP/IP weaknesses.
5. Next Steps: Developing Business-Data Security
Defending against hacks in the future will require new strategies, experts say.
"If we've learned one thing from the changing climate of data security in 2012, it is that 2013 will definitely not be a time to employ the same old tactics," said Tim Ryan, managing director at Kroll. "Two thousand thirteen will require a review of information-security governance, identification of information risk and controls, and preparation for the inevitable: a breach of sensitive data, a looming threat for every organization."
So what can small businesses do in the face of these hacking threats? Contract with outside resources.
Small-business owners should explore partnering with an investigation and forensics team, a privacy law firm, and/or a breach-notification specialist. When a security incident occurs, having carefully-vetted vendors in place to assist with response, advise on legal requirements, and mitigate damage saves time and money.
Small-business owners may not be able to build an entire IT department, but they can use IT resources to prevent or control future attacks.
It's time to put up those defenses, folks.