The Truth is…If They Want Your Data, They Can Take it!
As a partner in a local Managed Service Provider Company, I get asked all the time questions like; “why do companies get hacked” or “why would a company/city pay a hacker to get their data back” and even “how can someone get hacked”?
The short answer is a lack of understanding or that their company even has exposure to hacking. As a result, those companies are not acting responsibly with the appropriate levels of data protection and back up in place.
The truth is, if someone really wants to hack your company and get to your data, THEY CAN. Everyone and everything are hackable and there is really nothing you can do to stop it. Ok, now that we have scared the hell out of you, as well as possibly frustrated you and the efforts you have taken, let’s examine the root of that answer.
Look at it this way; How many times are you told to lock the doors of your car and home to keep thieves out? Daily, weekly, monthly? Do you listen? Do you think that does not happen in your neighborhood? Has it never happened to you?
Here are some amazing stats:
- 92% of car break-ins are on “unlocked” cars
- Homes without an alarm system are 300% more likely to get burglarized
- 83% of burglars admitted they are specifically looking to see if there is an alarm present, 60% of those say they would change their mind and move on if they see a system in place.
So, what do those stats tell us? That if you do nothing, then something is going to happen to you.
The above holds true with data protection as well. We see every day small to mid-size businesses that do nothing to protect their networks and data. Here is one of our real-world examples;
We were asked to come visit a potential client regarding managed services. During our visit/review we were told the following facts:
- Roughly half of their computers were employee owned and taken back and forth between home and office daily.
- Comment; “we have a server, but have no idea what is on it or when it was last accessed”
- All employees use their personal phones for work purpose
- “We don’t need backup services”, because we share all our files between us, so everyone has a copy.
- “we have used an MSP in the past, but cannot recall their names, and certainly do not know how to reach them.”
So why would any of those comments be alarming? Well that potential client is a financial service provider, you know, the folks that handle your investments, retirement, bank accounts? They store account numbers, social security numbers for entire families, investment information, addresses, birthdays, birth records, etc.
While this is a long standing and reputable firm, their feeling is that they are too small to attract hackers and simply do not understand the repercussion of what would happen if hacked. Look at it this way; let’s say your parents are elderly and you have taken on the oversight of their finances. Would you feel safe in taking all their financial records, your records, account numbers, birth certificates etc., then storing them in the front seat of your unlocked car sitting in your driveway? Of course not! You would laugh at the mere suggestion of someone doing that. I bet I can hear you now, “well if you were dumb enough to do something like that, then you probably got what you deserved”. Am I wrong?
So, then why would you feel safe in storing those same documents on an unsecure pc or server/network?
People just don’t look at those things in the same way. They tend to tell us, just as this potential client did; “we don’t need all that fancy stuff, price is our main concern.” Wow! Tell me again, how much is your business and professional reputation worth?
I am not using this example to embarrass anyone, rather to show a small business that has had long standing success, started and managed with very intelligent people, just do not understand what can be done to better protect their data and business.
So, what can I do?
First, have a data backup service in place, be it on-site, off site or preferably a hybrid of both. Under this suggestion, you need to determine several keys factors:
- Data back up or full application backup?
- How often do I need to back my information up?
- How do I restore from a backup and how long will that take?
- Do I need to constantly back up everything, or are their elements that I can archive off and store securely for when I do need access?
Secondly, who needs access to your data and why?
- All employees to all data?
- Segregated access based on function?
Thirdly, this is not about trust. Meaning if you do not allow your employees to utilize personal devices for work purpose, be it a laptop, desktop, cell phone, that does not mean you do not trust them.
Here is another real-world example of what I am talking about:
One of the most growing trends for the hackers is to come to your company web page, review things like your “about us” section. Gather names and titles, as well as whatever else you are saying about yourself and your employees. Well what does that matter?
It matters a lot! Last year we had a client that incurred a very large loss of money as a result of being “hacked at arm’s length” as I call it. This client was a closing office for real estate transactions. Long standing, very good and very open regarding their employees. A hacker scanned their web page, gathered the names of several closing agents employed by their office, then walked away without touching their network.
Ok, so what’s the harm in that? Well nothing at all. Where the issue arose was, those same hackers then went out and found those same individuals personal email accounts, yep the same Gmail, Yahoo, etc., that everyone uses at home. Those hackers then through phishing campaigns, then hooked someone through a bogus email. So how did that work? Those hackers sent the almost irresistible email possible. The supposed Amazon update on their order. You know the ones, that say, “click here” for an updated status on your package delivery? Those are like candy to most people and cannot be ignored it seems. This closing agent clicked on that link and of course nothing happened. Well at least as far as they could see.
Actually, a lot happened. Through that link, the hackers gained control and access of this person’s home email without ever being noticed.
The hackers then sat back and watched, waiting, doing nothing, just waiting for their chance. That chance finally came one day several weeks later, when this closing agent was running behind on getting things done at work. So, what did they do? The same thing we have all been guilty of, started sending work emails to their home email address so they could be worked on from home. Good employee working hard right? Well maybe, but also an open door to a tragedy.
This closing agent sent home a closing package that contained property seller and buyer information, email addresses, closing dates, property information and closing instructions. BAM! Hacker heaven!
Next the hacker sent an email to the property buyer with closing instructions from this agent. Everything looked legit and correct to everyone. So much so, no one noticed the change in wiring instructions. The agent never knew it happened, no one called to confirm the instructions, no one thought to check the sent folder from their personal email account. No one was in the loop except the person that received the wiring instructions and the hacker.
The story ends as you expect. The buyer did as instructed, they wired $250,000 cash from their bank account and went to the closing. Only when they were asked at closing about the funds did everyone start to see what had happened. The money had been wired to an off shore account which was then drawn and closed rapidly. The buyer was out the cash and could not buy the home. The seller was out the sell and now stuck with their new house and the one they thought they were selling.
While the aforementioned story is horrible, sad and maddening, it is true and it happens every day.
Fourth, what is my security plan and how do I manage it?
I share all of this not to scare the hell out of you, but hopefully to make you think. Take pause and ensure that you are comfortable with the way things are in consideration to your network and data security.
Through the next several weeks, I will walk through some of the finer points outlined above. Offering suggestions of whom to speak with, measures to be taken, testing that you can do yourself, as well as ideas for training your employees.
As mentioned, ultimately you cannot stop a hack. The question becomes how difficult are you trying to make it for hackers? How will you recover should it happen? Ultimately, are you really still comfortable leaving your car unlocked?
For more immediate tips and a free walk through of your network, contact us at 904.351.8101, or shoot me a note.
Jim Satterwhite
CEO, Venture Pointe, Inc.
Jim.Satterwhite@venturepointe.com