This week, a teenage high school student reportedly hacked into the email account of CIA Director John Brennan and posted personal details to WikiLeaks. Granted, Brennan was using an AOL account, and the hack was likely a “social engineering” attack, in which personal information, most likely obtained by using information easily found online, was used to break in.
Regardless, if the email for the CIA director is not safe, what chance do we have?
If you think that having an email hacked is the worst that could happen, consider someone using your information to order countless pizzas, call in bomb threats or make racist comments on your behalf online. This is the terrifying case of Paul and Amy Strater, a middle class couple from Oswego, Ill., whose lives became the unfortunate collateral damage of a cyber war raged against their teenage hacker son, who unwisely picked a fight with another (and better) hacker in an online chat room he frequented.
Mike Schroll, the VP of business development for PC Pitstop, a creator of security and performance software, is a former hacker and made his living professionally hacking into and identifying vulnerable areas in the cyber infrastructure of large organizations.
Schroll points out that several layers of cyber security exist, like an onion — both of which, if hacked, will cause many tears — and entrepreneurs and business managers need to be aware of all the layers to best protect a company’s cyber infrastructure from threats.
1. Social engineering
The first layer is protecting your company from attacks from afar. Hackers have been known to find general information about an individual online — we do, after all, share everything about ourselves on social media — and use this information to manipulate employees of companies, such as banks, to disclose personal and sensitive information. While these disclosures are a failure on the part of the employee, more often it is a systematic failure of the organization to train and emphasize security protocols.
Schroll suggest that you make certain you have stated security processes that are reviewed with your employees and tested often. Have a process to verify callers and never disclose passwords or other sensitive customer information.
2. Physical security
While you may believe your building and technology — and hence your sensitive information — is safe and secure physically, good hackers know “tricks” that will allow them to penetrate even this layer of security. Additionally, many business owners pay little attention to other physical aspects of their companies’ operations that pose a threat, such as leaving computers exposed or failing to destroy old hard drives.
As with other employees, these physical security breaches are not always an issue with the security personnel but rather the organization’s general security protocols. Schroll recommends that you encrypt your drives, leverage cloud backups, enclose any hardware ports exposed to the public, have old hardware disposed by professionals and use theft recovery software, such as Prey Project, on business devices.
3. Wireless security
Your wireless Internet also poses a threat to your company. We often forget that Wi-Fi signals can extend much farther than the walls of our offices, and a hacker with a good antenna can connect to your signal from far away. Once in your network, file shares without protection or computer accounts that have simple passwords become an easy channel for getting to other sensitive information.
Schroll says companies should be using WPA2 protocols, not the antiquated WEP or WPA. Additionally, your router password needs to be as strong as all other passwords. Never use a default password and make certain it is nothing that can be easily guessed (your company address, for instance).
According to Schroll, passwords are like underpants — they need to be changed often, kept private and never shared with anyone. The best passwords are long, use a combination of uppercase and lowercase letters, numbers and symbols, and are different across accounts.
Schroll suggests using phrases, which are easier to remember. For example, consider this famous phrase from the movie, Forrest Gump, “Life’s a box of chocolates, Forrest. You never know what you’re gonna get,” which would translate to a very effective password “L’aboc,F.Ynkwy’gg.”
5. Two-factor authentication
Even with difficult passwords, good hackers still have ways to penetrate account security. For this reason, businesses should strongly consider using two-factor authentication (2FA). Most large companies, such as Google, Apple and Dropbox, offer 2FA with a mobile phone number or email account, and apps such as Authy and Google Authenticator can help you implement it with other apps and services.
As more secure methods continue to be developed, such as fingerprint and facial recognition and even ultrasonic sounds, companies should not shy away from updating security measures as often as needed to stay ahead of hackers.
6. Email security
If you protect nothing else, Schroll emphasizes the need to at least protect email accounts. Consider that once hackers get into an email account, it is not difficult to get access to other accounts, considering your email account is typically how you reset forgotten passwords. While it is old news, Schroll says to never click links in emails or attachments, as many take you to phishing sites that look remarkably like real sites. Instead, open a website by creating a new tab on your browser and typing the website URL.
Schroll goes further to recommend using Gmail and Google Apps (with 2FA, of course), as Google has superior spam, virus and phishing protections.
Most anti-virus software has services that assist in keeping email accounts and other sensitive information safe. Even the best software, however, has vulnerabilities. Malicious software viruses are being created at breakneck speed, and virus-protection companies have difficulty keeping track of all of them on their “blacklists.”
For this reason, businesses should consider using a service that employs a “whitelist,” such as PC Matic. With whitelist protection, the security only allows software and programs that are pre-approved to be downloaded, adding an additional layer of protection to your system.
Understand that your business stands a very, very good chance of getting hacked — it is just a matter of when. Take the appropriate measures to secure your hardware, software and cloud accounts, and have a clear, detailed and stated information and technology security policy.
Remember: Stay out of online chat rooms and never, under any circumstance, mess with teenage hackers or anyone with a profile name that sounds like a mob boss or fantasy wizard with too many misplaced uppercase letters.