Counselor

How To Avoid A Data Breach

Many companies intuitively know about the importance of data security, but aren’t aware of the many ways hackers can get into their systems. Here are some strategies for protecting your business from becoming a data breach victim.

It’s a tragedy most small businesses insist won’t happen to them. But far too often, David Martin has seen data breaches not only undermine company functions but nearly take down whole organizations in the process.

“It can be pretty catastrophic,” says Martin, vice president of VeriFyle, a secure messaging and file sharing provider based in San Jose, CA. Martin recalls one small business that not only lost half of its 100 clients, but was forced to lay off 50% of its workforce and revert to a snail mail invoicing system after hackers targeted his company, gained access to the firm’s most private data and stole credit card numbers for many clients.

Like many small businesses, distributors are not immune to security breaches and data theft. And while most conform to smart safeguards – software updates and the like – plenty are also practicing the bare minimum in data security management, experts say. That’s a dangerous move, they insist. All too often, small-business owners – promotional products distributors included – continue to think their operations are an obscure outfit too small to be a likely target for would-be hackers.

But statistics prove otherwise. A 2014 small-business study by the Ponemon Institute, an independent organization that conducts research on privacy and data security, based in Traverse City, MI, found that over 78% of small businesses had suffered a data security breach within a two-year time span.

“We’re coming up on a time where hackers are starting to care about small businesses,” Martin says.

Small Companies in Focus 

Where once the ultimate target was a giant corporation’s financial information, hackers have learned that the time and expense needed to get beyond the firewalls of a giant company – if that’s even possible – are too great. But with hacking software being readily sold on the black market, access to hacking tools for small businesses and individuals is far too easy today, he says.

What can companies in the promotional products market do to make sure they don’t endure the same fate? Plenty, experts say. Security specialists stress starting with the basics and working up from there. First steps include regular patches and software updates whenever they become available, says Andrew Hay, chief information security officer at DataGravity, a data storage firm based in San Francisco. As many as one-third of employees use outdated versions of Internet Explorer, he says. Updates and patches are not unlike a burglar avoiding a home because it has an ADT Security sign out front, Hay says.

“They go to the neighbor’s house instead,” because would-be burglars are looking for the least secure, easiest hit. And with so many small businesses failing to do the bare minimum to safeguard information, there are too many sitting targets, Hay adds.

Yet, even the most vigilant small business is vulnerable if its employees are offering points of weakness for hackers. Most companies and their employees know not to click on suspicious links within emails that can end up releasing a virus on company servers, says Jerry Irvine, chief information officer of Prescient Solutions, a Chicago-based IT outsourcing firm, and a member of the U.S. Chamber of Commerce’s Cybersecurity Leadership Council. The problem, he says, is that even the most vigilant employees become absentminded amid busy schedules and stressful workdays, inadvertently clicking on a link while moving through emails.

Even more troubling might be an increase in emails specifically targeted to resemble a message from the company’s CEO or a valued client. Employees, never thinking it could be an attack, click on the link and unwittingly expose their entire company. “Over 90% of all hacks occur as phishing scams,” Irvine says, referring to fraudulent messages designed to look like legitimate emails, which actually contain harmful links.

The fictionalized stereotype of a master hacker using his genius skills for evil rather than good is often rarely the case for real hackers, Irvine says. Which is why they target small businesses – the criminal activity’s low hanging fruit. “Their biggest target is the end-user,” Irvine says. “They don’t want to hack a firewall or server any more than anyone else does unless they’re really technical, which many of them aren’t. So they try to hack the user, and that’s significantly easier.”

Ransom Demands
More and more small-business owners report not only being the victims of phishing attacks, but – more commonly today – having to pay a ransom after being hacked and having their company’s data encrypted so that it is inaccessible to the business, experts say.

Ransom demands don’t tend to be huge – $500 is a typical demand for a small business, though large companies can pay tens of thousands. But unlocking files can take weeks, and hackers, wanting to remain anonymous, often demand that businesses pay them in bitcoins, a venture that can be onerous, time consuming and counterproductive to progress.

While basic security training instructs staff to avoid links until verified – even from seemingly trusted sources – training programs many times don’t point out other dangers lurking in everyday environments that seem innocuous enough. For example, public Wi-Fi is often a prime place for a hacker to attack, Irvine warns, advising business travelers to avoid free networks at airports, coffee shops and other seemingly safe locations.

Within a public domain, hackers “can capture your data and redirect it to a network so that you don’t even know a hacker is seeing it,” Irvine says. And hackers waiting to pounce are far more common than most people think, he adds.

Instead, Irvine suggests staff on the road use cellphone networks by tethering to mobile devices. That way, employees are using their own network, rather than counting on the safety of one that’s unknown. In fact, experts advise turning off Wi-Fi on mobile devices altogether when on the road. That cautious approach will mitigate employees becoming inadvertently exposed to a network that could be a prime vehicle for stealing data.

Other safeguards to ensure that your organization and its employees take? When surfing the Web, avoid search results further back than the first two pages, Irvine says, as well as unfamiliar websites. “After about the second page, every search result link can include some kind of hacker or some weak company that may have been hacked,” Irvine says. “It’s just not a good idea.”

Additional Safeguards
Still, even for companies that spell out clear security policies and ensure that employees follow them, a well-intentioned employee can make mistakes while traveling and not even know it. Have IT check employee devices after returning from a trip out of town to make sure they weren’t accessed without permission while the rep was on the road. More to the point, says Hay, make sure all data is backed up before employees take laptops and other devices out of the office. Just make sure the backup is secure as well, Hay adds – too often companies throw vital data with private information up on the cloud, only to find out later that where they were storing it wasn’t a safe place.

In addition to unsafe networks, passwords are one of the weakest safeguards against hackers, say security experts. With programs devised to run through thousands of password combinations (software bought off the black market can “hack passwords at a million per second,” Martin says), many are able to gain access to accounts through sheer willpower and time, making complicated passwords a crucial element to securing company data.

Often the complaint is that managing multiple passwords is too cumbersome, spurring employees to simply pick one password, often weak in its formation (“the most common password today is still ‘password,’” says Irvine), and use it repeatedly. Promo products companies that do that are sitting ducks, experts insist. They advise that the best passwords are lengthy, complicated and not remotely linked to a person’s personal details.

But those are often difficult for employees to remember. The problem, says Bill Carey, vice president of marketing for Siber Systems, a password management firm in Fairfax, VA, is that “users can’t remember more than three or four secure passwords at a time.” And most of those are only slight variations of the original so that their protective factors aren’t very strong. Programs like Siber’s RoboForm offer secure password management through encryption keys that keep hundreds of passwords secure via a master password that only the user knows – and can even help generate safe passwords as well.

Programs like Siber’s are typically $10 or less per user per year, Carey says, and make data so secure that a lost laptop in an airport wouldn’t, in all likelihood, be a security issue if found, since hackers wouldn’t be able to access a company’s login options without the master key. Carey cautions that documents saved directly to a laptop, however, may not be as secure.

Even more secure than strong password management is two-factor authentication, in which a user enters two codes from two separate devices, says Steve Manzuik, director of security research at Duo Security, a security management firm based in Ann Arbor, MI. That most often includes a computer login followed by authentication via cellphone as well – a convenient method that evolved from previous key fobs employees carried around with daily codes generated on them. Basic two-factor authentication is low-cost, even free for some limited uses, Manzuik says, making it a cost-effective option for smaller companies.

Proper Training Required
Other smart security measures involve testing the system, experts say. Want to know if your online payment portal is secure? Bug bounty programs can try to penetrate your company’s system to do just that, says DataGravity’s Hay. Working through a crowd-sourcing model, bounty programs have “friendly” hackers try and break through a company’s software, hardware or other technology. Often a smattering of hackers are hired, with each getting paid per hack.

Many of these security measures can be rendered useless, though, without proper employee training on how to avoid phishing, using secure networks on the road, or being consistent with password creation to make sure they’re not easily guessed by cyber criminals. That means regular training and communications so security steps are fresh in employees’ minds year after year.

In addition, Manzuik says, it’s important for distributors to consider and update contractors, customers and others outside the company who may be accessing company hardware and software systems. This is particularly important for smaller companies that could maintain tight security in-house only to have their company devastated by an outside contractor unfamiliar with data security policies.

In that sense, promotional products companies need to be aware of files and how they’re being shared – a crucial concern with artwork and orders being sent electronically every day. But VeriFyle’s Martin says distributors should be wary of email, since it is not a secure conduit. In fact, he says, too many companies rely on free services such as Google’s Dropbox – great for sharing family photos, Martin says, but not so much for sensitive corporate documents.

Too many companies offering free sharing services with promises of document encryption “use a single key to encrypt lots of data across lots of users. If someone gets access to that key, the data for all of the users will be exposed, not just one user.”

The claims, then, that these companies make about data being encrypted are true, Martin says, “but they’re encrypted in bulk. And those free services rarely use any kind of sophisticated encryption.”

It’s these kinds of factors that companies simply have to be aware of today, or else they’ll be open to hackers looking for openings.

– Email: betsycummings23@gmail.com; Twitter: @asicentral