Even if it didn’t impact you directly, you most certainly have heard about the recent massive data breach in the United States Federal Government. In July 2015, it came to light that 21.5 million individuals were impacted by two incidents of data theft from the Office of Personnel Management computer systems. The hackers were able to obtain information from federal employee security clearance applications, which contain not only personal information about the applicant, but their partners and spouses, immediate family members, former employers, and even neighbors. This included information such as health records, social security numbers, and fingerprints. As a result of these major data leaks, the director of the Office of Personnel Management, Katherine Archuleta, resigned her post.
This news has shown all of us that no entity is immune to computer hackers. According to computer security site McAffee.com, not all computer hackers are out to steal information from you. They may have any of the following motives:
- Breaking into networks or creating computer viruses to earn money from others.
- Attacking networks in order to deface a website and make a name for themselves.
- Hacking as a form of harassment, particularly against someone with different political or religious beliefs.
- Hacking to exact revenge.
- Hacking to expose a website of what the hacker believes is wrongdoing. (This is easily demonstrated by the hacking of marital cheating website Ashley Madison in order to release the names of the people using the site.)
- Being paid by governments around the world to target civilian, corporate, and government websites of other countries to achieve military objectives.
- Being paid by corporations to infiltrate rival corporations in order to obtain trade secrets.
- Spreading fear of terrorism.
Thankfully, much like an alarm will scare away a potential burglar, having some basic protections in place can scare a hacker away from trying to do damage to your office systems. Entrepreneur recommends you implement the following basic tips for computer security in your business.
1. The world of computer security is ever-changing, so it is important to stay up to date on the latest hacking threats. One way to do this is by reading the website Hacker News.
2. Limit access to your website. This can be accomplished by:
a. Reiterating to your employees that they need to use complex usernames and passwords that would be difficult to guess. These should include numbers and symbols as well as letters.
b. Changing your default database prefix from “wp6_” to something else.
c. Limiting the number of login attempts allowed within a specified timeframe, including password resets.
d. Reinforcing that login details should never be sent via email.
3. Understand it is very important that when a software update comes out for a product you use, you must purchase that update and utilize it immediately. These updates often include patches for newly discovered security vulnerabilities.
4. Tighten the network security in your office by having computer logins expire after a certain amount of computer inactivity, mandating password changes at regular intervals, instructing your employees never to write their passwords down, and having all devices plugged into your network scanned for malware each time they connect.
5. Install a web application firewall (WAF). This acts as a filter between your website server and the data connection, reading all data that passes through. This will block hacking attempts as well as filter out malicious bots and spam email. This is usually a cloud-based service that charges a monthly subscription fee.
6. Another level of protection, lesser than that of a WAF, is a security application. Downloading these tools, which can be either free or paid, protects you against automated hacking tools which scan the web looking for sites with known vulnerabilities that may be connected to yours.
7. Hide your websites administrative pages, so that they cannot be indexed by search engines.
8. If at all possible, do not allow documents to be uploaded to your website. It is very easy for bugs to slip through your system’s protections through an uploaded document, giving a hacker easy access to your website. If you must have documents uploaded to your site, ask your web host to set things up so that will be stored outside of your root directory to better protect your system.
9. Make sure that any personal user information is transferred between your database and website using a Secure Sockets Layer (SSL) protocol. This will prevent anyone from being able to read it while it is being transferred.
10. Disable form auto-fill on your website, especially for user names and passwords, as using it will make the site vulnerable to attack from someone who has stolen a user’s computer or phone.
11. Have multiple forms of system back-up in place for all of your data. Your information should be backed up multiple times each day both on site and off site, so you can retrieve your data if you are the victim of a cyberattack.
12. Don’t be fooled by software providers who say they can hide the code on your websites. While they truthfully can, there are a variety of easy ways to work around that encryption, and hackers are very familiar with them.
The next thing to consider is further education of your employees on how they can help to keep your company’s information secure. The first thing to talk to them about is creating strong passwords for their office computers. Microsoft recommends that the best passwords meet the following criteria.
- Contains at least eight characters
- Does not include your real name, company name, or user name
- Does not contain any complete dictionary words
- Is completely different from your prior password
- Contains uppercase letters, lowercase letters, numbers, and keyboard symbols
Another item to discuss is the social engineering hackers will use in order to try and gain access to a computer system. For example, an individual may call an employee’s work phone, pretend to be from the company, and ask seemingly innocent questions that will lead the employee to uncover this information. Another frequent trick is an email that looks as if it has come from the company stating that the employee’s email account is full, and telling them to click a link and enter their user name and password in order to get a higher quota of space for their email. Employees should be taught to have a healthy amount of skepticism regarding attempts like these, and know that they should never give personal information out over the phone, and never click on a link in an email, no matter how much it looks like it may be from your organization.
Finally, as an employer, it’s extremely important that you provide your employees with a way to report attempted cyberattacks and spoof emails. Be sure they know you welcome any reports of suspicious phone calls, emails, or interactions, even if they turn out to be false alarms. It is also a good idea to send screenshots of suspicious emails around to staff so they know what they should be on the lookout for. You might even consider putting a rewards program in place for employees who report these vulnerabilities. With proper education and cooperation, your company can protect itself against cyber attacks.