Not too many years ago, the owner or senior manager of a small or midsize business was considered pretty hip in the world of network and data security if he could spot a phishing email. Boy, have things changed fast.
Internet thieves’ sophistication has grown geometrically every year for the past decade. That’s why large companies now employ their own security experts or hire outside IT security consulting teams to guard the perimeter. Still, some of them get hammered by high-profile network attacks. Last year, IT industry names like Yahoo, AOL, AT&T, Verizon, Google, Hotmail, Comcast, MSN, and Live.com were successfully hacked. More than 400,000 usernames and passwords were compromised in just a single attack on Yahoo.
And because big corporations are making themselves tougher targets for hackers, the bad guys increasingly are going after small and midsize companies. In fact, the vast majority of such attacks – and you don’t see this in the headlines – are against SMBs. The number rises annually.
Reading one blog won’t make you an expert, but it might help you ask better, more-probing questions of your staff or IT managed services provider when thinking about data and network security. It also might help you better judge the veracity of answers you get.
Here’s a short primer on threats your business faces today:
- Spear Phishing. This goes way beyond “your bank” sending you an email asking you to click on a link and enter your account number. Spear phishing involves sending sophisticated but bogus business emails to company employees from what appear to be regular clients or known employees at vendor companies. The employee gets tricked not only into opening the email, possibly allowing malware to enter the company’s system, but also sometimes into responding with the data requested. Training employees on how not to be fooled is more important than ever.
- The Wide World of Malware. In the past, malware was used only to steal data from individual home PCs. Now it’s the most used club in hackers’ bags when they target small and midsize businesses. Small and midsize businesses’ systems and networks are especially vulnerable because so many users connect via mobile devices. A large percentage of mobile devices are infected with malware picked up during their normal, legitimate use. Then those same devices are used to access company networks, passing the malware along. Indeed, information residing on or transmitted to and from mobile devices is about five times more likely to be compromised. Android devices are particularly vulnerable. So not only must companies’ own computers, servers and other network nodes be kept up-to-date with all the security patches available, so too must employees’ mobile devices – whether company- or employee-owned – have their protection updated often.
- Stealth Hacking. There have been lots of recent cases in which thieves placed “recording” malware on a company’s systems and networks and have let it sit quietly, undetected for months while it gathered huge amounts of data from the company, its customers, vendors, etc. The targeted companies discovered the malware only after the thieves finally accessed the malware in one big, quick data-dump, then emptied multiple accounts or ran up huge charges on company or customer credit cards in one quick buying spree. So companies need to raise their game in scanning for such stealthy malware that sits dormant for long periods.
- Social Media Hacking. Whether they do it for “fun,” to make political or social statements, or to score on the violent stock price swings their actions can trigger, hackers increasingly are targeting companies’ Twitter, Facebook, LinkedIn, Pinterest and other social media sites. They hack into companies’ social sites to create havoc with companies’ brands by upsetting customers or making companies look mean, stupid or insensitive. Small and midsize business leaders need to make sure their company’s security focus goes beyond normal business systems and online network connections to include social media connections.
- Government Agency Hacking. Hackers with causes are growing more aggressive. And those with profit motives are attracted by the treasure trove of data residing on government systems and networks. Pretty much ALL small and midsize businesses are vulnerable because all companies “do business” with agencies like the IRS and the Social Security Administrations, at a minimum. Small and midsize business leaders need to make sure their security efforts include multiple layers of protection on all data flowing to and from government agencies.
- Hire-a-hacker. Previously only really big companies could afford and/or felt the need to hire “consultant” hackers to attack their own systems and networks to discover security weak points. But the threat level for small and midsize businesses now warrants giving the practice serious consideration. Many reputable IT consulting firms and vendors offer what is known as penetration testing. As a result of all that competition, services now are within the price range of many small and midsize companies.