The high-profile hackings of Target, Sony Pictures, and other major corporations has led some executives to tighten up their security—but that might not be enough to spare their infrastructure from intrusion. What can you do to prepare for a possible hack, and—if the unthinkable occurs—what’s the best way to handle the aftermath?
The statistics are depressing. In late 2013, the National Cyber Security Alliance reported that 20 percent of small businesses are targeted by cybercriminals every year, and that 60 percent of those attacked go out of business within six months of the breach. There’s no reason to think those percentages have declined in the past year and a half; if anything, the increasing sophistication of malware and social engineering means that hackers have an even larger tool kit for unleashing havoc.
While small companies make tempting targets, breaching a major corporation offers the tantalizing possibility of huge databases stuffed with sensitive information. A small but dangerous subset of hackers are extremely patient when it comes to hunting big game, often spending quite some time working their way through layers of corporate defenses. When hackers penetrated the Office of Personnel Management (OPM), accessing millions of records, they may have spent months inside the agency’s systems.
In the OPM’s case, infrastructure based on decades-old technology may have hobbled its tech pros’ ability to keep intruders out. Whatever the age of a company’s technology, however, some basic steps can help prevent intruders from breaking in—and if they do, (hopefully) keep the damage to a relative minimum:
If there’s one element uniting some of the most high-profile hacks of recent years, it’s the tendency on the part of employees to not only create too-simple passwords, but to use those passwords on pretty much every device and system under their control. Educating employees in good password habits is a vital first step toward keeping everything locked down. (And if you’re using “Passw0rd” as your password, switch it now.)
Test Your Security
If you have the budget, consider hiring a “red team” who can test your company’s defenses. If they have trouble penetrating your security, it could validate your spending in that area; if they slice through your gates like the proverbial hot knife through butter, then you’ll learn a bit more about what you need to make things secure.
Beware of BYOD
While Bring Your Own Device (BYOD) has saved many organizations money, it also creates a tempting vector for attack. Make sure that your teammates and employees are practicing good security hygiene with regard to any (and all) devices on which they conduct business, including passwords and solid encryption.
If your systems are hacked, panicking will just make things worse. Instead, make sure you have a cybersecurity plan in place before anything bad happens; update that plan periodically.
Be Careful What You Put on a Network
In a recent interview with the Harvard Business Review, Sony Pictures CEO Michael Lynton advised companies to consider whether something belongs on a company system.
“Everything that’s up on the network is by definition susceptible to a breach,” he told the journal. “It’s complicated, because ease of communication and access to data are part of what makes business operations run efficiently. But the more you have up there, the more vulnerable you are to hacking.”
Words to live by, especially if the information you hold is particularly sensitive.