We are all connected. More than ever before, with IoT, smartphones, and all forms of internet communication. What infects one device can easily spread to all. Connectivity can be good, but it also opens up risks and raises cyber security concerns.
No Corporation Is an Island
High-profile cyber security attacks continue to dominate news headlines, from the Target data breach to the massive DDOS attack on DNS provider Dyn which took down much of the Internet this past October. In order to attack these big-name companies, hackers find points of vulnerability by using unexpected and largely unavoidable connections. For example, in Target’s case, hackers exploited the login credentials of a third-party HVAC contractor with what should have been very basic access to the system, which they then exploited. In Dyn’s case, hackers took advantage of a massive botnet including smart devices. While each of these attacks exposes weaknesses, they also show the realities of doing business. Target needs HVAC workers. Dyn needs to give access to the smart devices that are used by their customers’ clients. Corporations can insulate themselves, can take better precautions, but there is no 100% guarantee of data security protection. Sooner or later, a malicious threat will get inside; it is just a matter of when, how, and what efforts will be taken to mitigate the damage.
Data Security and Liability
Hackers may go after small businesses to reach larger targets such as suppliers, customers, business partners, and anyone else they are even vaguely connected with all because they can. Usually, it is for the money, but not always. In some cases and in some jurisdictions, you may even be liable for damages. Regardless, think of the fallout. No one wants to be part of the kind of global news event that often accompanies a major data breach. Remember: you may be small fish, but you’re swimming in a very big pond.
Data Security Threats Grab Attention of Federal Government
The federal government, the Department of Homeland Security, in particular, is taking particular interest in small business cyber security. HR 5064, Improving Small Business Security Act of 2016 proposes to give training to small businesses and to begin looking at ways to normalize security throughout the nation. While large corporations often have the funding and the infrastructure to secure their operations on a large-scale, small businesses don’t always have the same resources. And yet, what happens on the lowest level ultimately affects us all. After all, that is where the hackers look, and all too often that is how the hackers get in.
Defense, Detection, and Mitigation
While we are waiting for a more robust data security system to evolve on a national level, there are steps you can – and should – take now to make your data more secure. Remember, all data security involves three basic steps: defense, detection, and mitigation.
- Defense – stop the attackers before they get to your data. In the Target example that would mean not allowing hackers to get your log in credentials. Have firewalls in place to prevent unwanted intrusion. Lock down your ports. Don’t write your passwords on sticky notes attached to your monitor.
- Detection – when hackers breach, make sure you know right away. Track, log, and report all unusual activity. If someone tries to log into your system fifty times in under a second or starts downloading all your client’s data for no clear reason, you want to know.
- Mitigation – this last step will rely in large part on how well you’ve performed the earlier ones. Early detection is key. Once you know someone has hacked your system, mitigate the damages. Stop the attack. Switch over to your backup servers. Do what you need to do, quickly and securely.