You’ve heard a lot of the recent cybersecurity horror stories and you want to protect yourself and your business — but where to start? We asked local experts to explain the threats and how to guard against them.
PHISHING EXPEDITION
One of the most common methods of accessing private data is called “phishing.” Coined by hackers back in the 1990s, the term describes the process of sending fake emails that appear to be from a reputable source. The messages trick people into revealing personal information like passwords, credit card numbers and Social Security numbers.
“A lot of businesses use Microsoft Office 365 and that’s a very popular phishing target these days,” said Nick Lauve of Rent-A-Nerd, a New Orleans IT company founded in 1997.
“So, someone will get an email that says, ‘Hey, I need you to reset your password. Click here.’ They get your password and now that person has access to all of your email and they could also potentially leverage that into accessing the server at your office as well.”
Don’t think it can happen to you? Just ask John Podesta, former Hillary Clinton campaign chair and perhaps the most famous phishing victim of all time.
The technique is popular because it’s effective.
“Humans are a lot easier to exploit than computer systems,” said Lauve. “There are all sorts of different attacks that can be launched against servers, websites and routers. But at the end of the day, if you can get Joe in accounting to click a link in an email that lets you into the whole system, that’s way easier than all the other stuff.”
Insurance doesn’t protect you if they find that you weren’t doing your due diligence as far as passwords, security, cybersecurity training and a firewall. It’s not an either/ or situation. Nick Lauve, Rent-A-Nerd
YOU RANSOM YOU LOSE SOME
Once they have access to your data, the hackers have a variety of options that often include employing “ransomware,” a type of malicious software that prevents access to a computer system until a fee is paid. Sometimes, a very hefty fee. In 2017, South Korean web provider Nayana paid $1 million to prevent thousands of its customers’ websites from being shut down. Last year, city officials in Riviera Beach, Florida, agreed to pay $600,000 to regain access to municipal computer systems.
In addition to holding your data for ransom, hackers may also attempt to sell it on the “dark web” — a collection of websites invisible to search engines and only accessed using special browsers. The open-source Tor browser, which uses encryption to help keep its users’ anonymous, is one such tool.
“One industry that we see targeted a lot is healthcare,” said Lauve. “Same thing with the financial industry. And, actually, it’s probably the same thing with state and local governments. Ransomware is always a quick way to make a buck if you’re a hacker, but if you can get people’s Social Security numbers, credit card numbers or medical records, you can sell that.”
NO BUSINESS LIKE SMALL BUSINESS
Lauve said that even though you hear more about attacks on city and state governments, the majority of targets are small businesses.
“The attackers know that small businesses are low-hanging fruit because they are less likely to spend money on cybersecurity,” he said. “They are more likely to have a cheap piece of hardware as a router or bad security practices when it comes to passwords. So, in a lot of ways the people who think that they don’t need to spend a lot of money on cybersecurity probably need to be considering spending a little bit more.”
CYBERSECURITY ESSENTIALS
If you’re ready to invest to make you or your business safer, what are the first steps to improving your defenses?
Experts recommend the following:
- Create strong passwords and don’t use the same password for multiple accounts.
- Use multifactor authentication (requiring individuals to provide two or more credentials to verify their identity).
- Frequently back up your essential data.
- Add firewalls and content filters to your systems.
- Use DKIM (DomainKeys Identified Mail) to prevent “spoofing” (hackers using your email address to send malicious messages).
- Sign up for cybersecurity training.
- Hire pros to audit your security practices.
- Buy cybersecurity insurance.
BACK THAT DATA UP
Security pros preach the value of “business continuity and disaster recovery” — or BCDR — which means business owners should have a plan to revive their computer systems and entire business in the aftermath of a disruptive event.
Keith Frischhertz of Monarch Technology, a technology management company based in Mid-City, said one way of ensuring BCDR is to use a piece of technology that takes frequent “snapshots” of all your data, which is then stored in the cloud. In the case of trouble, your data can be restored from a very recent version. Frischhertz said a system that can handle 10 terabytes of data costs about $6,000 to buy and roughly $900 per month to run — not cheap, but not as expensive as the $7 million the city of New Orleans estimates it has spent so far to restore its systems after the malware attack earlier this year.
These systems typically incorporate anti-ransomware features.
“If somebody does hack your stuff and tells you, ‘I want $1 million for this file,’ you can tell them to go to hell and just go right back to your file as it was before the ransomware 20 minutes ago, an hour ago or yesterday,” said Frischhertz. “If the city had this type of system in place, the ransomware event would have been a non-issue.”
SERIOUSLY, FOLKS
Experts agree that the threat is serious, and also that many businesses still ignore it.
“A lot of business owners, both big and small, are just not taking it seriously because that’s just another thing on their plate,” said Michelle Craig of New Orleans-based Transcendent Law Group. “Bigger organizations are watching other big organizations get attacked like the city, convention center and some of the credit card companies. But for small businesses, paying attention means taking time away from what it is they do, whether it’s their product or service. And a lot of them don’t have the bandwidth or the knowledge to even know where to start.”
Craig said that even if a business owner doesn’t have a lot of time or resources to devote to the problem, it’s important to at least tackle some of the basics to make your business a less desirable target.
“There are smaller things you can do to protect yourself,” she said. “It’s like being carjacked or robbed. You can’t stop it from happening for sure, but you can be an undesirable target and that means making sure security systems are in place.”
Cybersecurity insurance, once an after-thought, is now an essential, said Craig.
“If you don’t have this, you are not doing what you need to do, and it undermines your legitimacy,” she said. “Because if you don’t have that insurance and something critical happened, then that could cripple the business in such a way that ends it.”
Thinking it’s enough to get cybersecurity insurance? Think again.
“Insurance doesn’t protect you if they find that you weren’t doing your due diligence as far as passwords, security, cybersecurity training and a firewall,” said Lauve. “It’s not an either/or situation.”
It’s also a good idea to put somebody on your team in charge of cybersecurity.
“Just like there’s somebody in charge of the HR department, someone should be in charge of cybersecurity,” said Craig. “Companies are now hiring cybersecurity officers to do the training and make sure the equipment is up to date. That’s not a bad investment considering the type of losses that occur.”
When it comes to keeping your data secure, the key is to always be vigilant.
“I mean, the biggest danger is that we can’t keep up with the types of threats out there,” said Craig. “When we identify what’s out there, something else is created.”