Don’t let hackers raid your data vault
In the digital world, data is like bullion: If snatched out of the vault, it could lead to financial ruin. Attacks against the likes of Sony Corp. and Target Corp. steal headlines, but startups are anything but inconsequential to cyber thieves: More than a third of attacks globally are aimed at small businesses and the number of hackers is growing, too.
McAfee Labs detected more than five new threats a second in the third quarter of 2014. A study it commissioned last March revealed one in five businesses were victims of a network breach, likely understated considering the stigma that comes with such an admission.
“You, as a customer, have only one demand,” said Carmi Gillon, executive chairman of Israel-based security startup Cytegic, in an interview in Toronto. “I give you my information. I believe you do the utmost you can do to keep the information safe.”
Mr. Gillon, a former head of Israel’s internal security service, Shin Bet, and Shay Zandani, Cytegic’s chief executive, are on a mission to convince company leaders worldwide that cyber security isn’t just a matter for the engineers; it’s their concern, too. They are also hoping to drum up support for the company’s latest software.
Cyber security is a fierce battleground in Tel Aviv, where such startups number in the hundreds. One area Mr. Gillon said is becoming bait for hackers is health-care IT.
“It’s the most intimate personal information. I’m a patient of yours. I want to be sure all the information about me is safe in your clinic,” Mr. Gillon said.
But regardless of the industry, he contends the forces of evil are always one step ahead of the game and no one is immune to threats.
It’s not just the company’s own information on the line, it’s the clients’, too, said Sam Seo, co-founder of Toronto-based analytics firm Physicalytics. Through experience, he strongly advocates keeping a lock on data.
“It’s obviously something we worry about, but it’s also something we’re heavily prepared for and trained to prevent,” he said. Yet, it took a scare for a client, Web development firm Hostorea, to fully realize that.
When a banner appeared on Hostorea’s website, declaring it had been hijacked and demanding payment for it to be returned, Mr. Seo quickly restored an older version of the site. “If I didn’t have the backup, I would have been in a bad situation,” he said. Backing up data is done by less than half of small businesses, 2013 Statistics Canada data show.
Most corporations can absorb such a blow over the long haul, but for entrepreneurs, even a small-scale attack could undermine all their hard work. “You can decide that [you’re] not going to use [your] budget to protect [yourself ]. At the end of the day when you reach a point that you are attacked, the damage to your business is so high maybe it will destroy your business,” Mr. Gillon said.
Even if there is nothing to gain financially, a vault full of sensitive data can be much more valuable to a cyber thief, Mr. Zandani said.
He recommended every business set aside one-fifth of an IT budget — a conventionally accepted figure — for security. “That’s not easy to invest such an enormous amount of money. You’re not getting any income out of it. It’s like buying life insurance,” he admitted.
But as Mr. Gillon pointed out: “Average people [take out] life insurance for the sake of the family. But at the end of the year they don’t say, ‘ OK, I just spent money, nothing came out of it.’ ”
Kris Constable, founder of PrivaSecTech, a Victoria-based consulting firm, agreed the cost of protection is high upfront, but he said the post-hack cleanup costs could be insurmountable, especially if you have to win back the trust of your clients.
The most common attacks are browser based, Mr. Constable, a digital privacy and security expert said. One common tactic is for intruders to embed malicious code into Java scripts to crash a browser. Remember Heartbleed? According to McAfee Labs, that virus exposed about 600,000 websites to information theft.
Content management sites such as WordPress are easy to use, but they’re also so loaded with code that they become “a pretty big attack surface.” The stats vary depending on the source, but on average one in five self-hosted websites run on Word-Press. It has plenty of tools, but “it also has a lot of loopholes or vulnerabilities that human or bot hackers can infiltrate,” Mr. Seo said, and as good as its plug-ins are, they’re also what can expose users to attack because many are created by independent developers.
Mr. Seo suggests enlisting other servers to be gatekeepers for the server where your data is stored. “Hackers will attack the first layer, first. They’ll determine if it’s clean traffic or malicious traffic.”
Behind the trickery of all the fastaction bots out there is a human cyber vigilante.
“If it’s a serious attack, it’s a real person,” he said. “If it’s a real person, they’ ll be behind an onion network. One second they’ll be in China, the other second they’ll be in Russia in terms of what their IP address looks like.”
Passwords should be at the top of any security checklist and Mr. Constable recommends they be both “hashed” (encrypted) and “salted” (have an extra cushion).
But sometimes even a password won’t protect you. External cyber invasions are not the only threat, Mr. Constable said. The majority come from within a company’s own walls.
“If it’s just founders, there’s little risk. But as soon as you start hiring people, how do you know they’re not doing something malicious with your information? The larger you grow, the bigger that threat vector gets,” he said.
It’s impossible to guard against every possible cyber threat, Cytegic’s Mr. Zandani said. Regardless of how big an enterprise is, the first thing a founder needs to do is evaluate the organization’s most important assets.
“If you’re going to invest to be protected from everything all the time, the only solution is to unplug and to close your business,” he said.
“You need to focus on what is relevant now and to be proactively protected.”
When you are attacked, the damage … is so high maybe it will destroy your business