With so many businesses doing things wrong, surely some are doing things right. Generally, the individuals and businesses that remain secure have a mindset that things are never secure enough. Regular attention to software and hardware maintenance, monitoring, testing and upgrades tend to make for the best security. From application code to infrastructure, prioritizing security really has a large impact for a business, even if those results are not immediately recognized or quantifiable. Security is often measured in losses, as the gains and prevented breaches are not as easily measured.
Many security consultants will tell you that your twitter account is more secure than your bank account. So many people seem to think that businesses with high profile data, such as banks, government or healthcare, must also have top of the line security. The sad reality is that even though these industries are regulated for certain security measures, most of the technologies used to protect and assess are quite dated and contain many vulnerabilities. Tech companies like Facebook or Twitter on the other hand are bleeding edge technology companies, which rely entirely on the stability and security of their technology to exist as a business. Whether bank or financial institution is hacked is not incredibly important to the businesses breached, in the grand scheme of things. Often times, insurance companies, consumers and other providers take on the brunt of the damage without seeing compensation or recovery. If an organization was under the impression that a single data breach could bankrupt their business, many would be incredibly secure like many of the tech giants are. These tech giants often do security right, as they understand the importance of automated testing, regular updates, penetration testing and other best technology practices.
Hackers want to come after you
This is not a scare tactic, it is simply true: you are a target for hackers. Often times, hackers are after anyone and everyone. Maybe your business has yet to be discovered or catch the interest of the right hacker, but that does not mean you will not be discovered at a future time. Everyone from the biggest corporations to the tiniest mom and pop shop are targets for hackers. The only thing protecting you by default is that hackers are lazy. Most hackers will not spend any serious amount of time seeking out and trying various ways of penetrating a business. Often times they will run a bot that goes out and crawls various websites and networks until a website that meets a certain set of criteria is found. By now, you should understand that hackers have a wide variety of motivators, so it’s only safe to assume that a number of those may apply to you. Additionally, you should also be considering the various interests a hacker may have to penetrate you. From the simplest form of bragging rights to extracting data from your database, file system, or simply wanting control of your machines, hackers have many reasons for targeting both individuals and businesses, large and small.
You may think that your company isn’t large enough to be an attractive target for a hacker, but that is a myth. This is not a scare tactic, it is simply a true statement: you are a target for hackers. Hackers are opportunists. Maybe your business hasn’t been discovered or hasn’t caught the interest of the right hacker, but that does not mean you will not be discovered. It is a common misconception that hackers are only interested in large organizations, governments, or financial institutions. In reality, everyone from the biggest corporations to the tiniest mom and pop shops qualify as targets for hackers.
From the simplest form of bragging rights, to extracting data from your database, file system, or simply wanting control of your machines, hackers have many reasons for targeting anyone. According to Verizon’s Data Breach Reports, more than 70% of data breaches targeted organizations with less than 100 employees.
The assumption that you are small enough to fly under the radar can have devastating consequences. Hackers tend to follow a simple formula when assessing a target: reward divided by effort equates to the level of interest. If you have a company that favors the hacker’s gain versus effort and are under 100 employees, consider these chilling statistics for a moment:
- Your employees are your greatest threat
- The cost of being hacked averages $36,000
- There’s a 100% chance that one in ten people will click a malicious link.
- On average, it costs north of $50,000 per 1,000 records lost
Emails are probably the first tier of interesting data. Even if you collect nothing more than these emails, your database is of value to someone on the black market, because they can easily launch phishing attacks against your customers pretending to be you. Protect even the seemingly unimportant data such as newsletter lists. At the very least, your company can be held accountable for leaked emails and the backlash for receiving spam from a leaked database can go viral. So, be proactive and avoid being a hacker target.
The next level up is user authentication data, such as usernames and passwords. Sad as it may be, most people use the same login credentials across multiple applications. By breaching your database of credentials, a hacker can easily create a script to try those credentials across multiple other applications such as bank websites, social networks, and email providers. When storing this type of data, it’s best to use encrypted passwords (or better yet, token based authentication) and secure connections between your clients and your application.
Credit cards, Social Security numbers, and other financial data are obviously the most valuable. This data is among the most coveted by hackers and is often still collected by many applications via very insecure connections or stored in plain text in databases by many businesses. Many products and services exist, which take much of this responsibility off of your shoulders and also meet many of the compliance standards you may otherwise need to implement.
Acknowledge the fact that hackers may have an interest in you, and you will then be able to start thinking about ways to enhance your security, taking into account the specifics described here. Note that beefing up security does not always imply higher cost either. You can start to increase security with minimal effort or cost by simply staying informed, educating your employees, and keeping software up to date.