Last month, ProSales editor Craig Webb spoke with an IT executive at a major LBM operation who has more than 30 years’ experience dealing with technology and the threats that can come through it. The executive asked to remain unidentified to protect his company from becoming a target for cyberattacks. Here, in his words, is advice from “Mr X.”
The first thing to keep in mind is that the world of cybercrime is a very scary place. In terms of hacker groups, you’ve got everything: bored teenagers, the “Kilroy was here” entity [seeking recognition]; and the mafia-type gangs. So for a small or midsize company, it can be intimidating. And the recent data breach at The Home Depot has really brought it to the fore.
To shore up a good defense, it’s important to step back, take a deep breath, and view the risks from an unemotional point of view. You can never be 100% safe. If there are certain people who really want to target you, they can get access. But what they get after they get access is another question. The realization that you can’t stop 100% of everything is what you need. Think about what you have that’s valuable to a hacker:
- Use of your technology. Many hackers want to use your technology as a launching point for attacks. It’s like renting without having to pay. They’ll hit other people with denial of service or as a relay point for spam.
- Theft of personal information. This one—taking personal information from your customers and employees—gets the most press and is perhaps the most damaging to reputation. Credit card numbers are the big assets, but hackers also look for Social Security numbers and email address. They’ll then use that information to send viruses.
- Theft of banking transactions. This is something that increasingly gets the mid-size and small guys. Hackers are trying to infect the machine you use to get to your banking website. They’re trying to intercept account numbers and passwords and to initiate unauthorized transactions.
- Intellectual property. The final thing that hackers are looking for is stuff like product design, sourcing, and strategies.
Once you understand what you have that makes you a target, you can identify what you should protect and how much you should spend to defend yourself. How valuable is your stuff to a bad guy?
Credit card data is generally the most valuable and the most typically targeted information. My advice: If you don’t have to process credit card transactions, you shouldn’t. It’s better not to have a credit card number at all. But for the average lumberyard, that’s not an option.
Once you say “I’ve got to take credit cards,” the next thing is to find a way to not store card information. If you don’t have it, it can’t be stolen. Make sure that you’re just passing that information along. A lot of people store data in order-entry systems to handle disputes, but that’s not a good option.
My advice for a company that’s considering whether or not to accept credit cards would be to hold off. Why? The Home Depot data breach may be the straw that breaks the camel’s back in terms of American banks adopting European-style credit cards that have embedded chips with associated PIN numbers. I would wait to see if they’ll mandate that change.
Once you’ve evaluated what you have that’s worth stealing, assess how to protect it. Focus on the fundamentals: Use a decent firewall and make sure that your staff is using passwords more complex than just “123456.”
As for wireless security, it’s important to have your wireless network encrypted with the best standard. Keep all of your computers and servers patched with the latest security updates.
Those are the basics. You wouldn’t believe how many companies—even the larger ones—fail to cover the basics.
I’ve discussed banking breaches, as well as hackers using malware to interfere with your communications with banks. Whatever computer you use to get on your banking website, don’t do anything else on that machine. This separation limits the chance that the machine will become infected. You need a bit of desk space, but trust me, it’s worth it. When thieves get to your bank account, that’s a major hassle—even worse than credit card break-ins. Banks are less willing to rectify a problem.
Again, it’s important to teach your employees the basics: Don’t go to a website that you wouldn’t want your wife or mother to know you’ve seen, and be cautious when opening attachments. If you have the tiniest shred of doubt, don’t open that attachment. Ask the sender if they sent it.
A lot of free applications have malware. That’s the lure. Many times, the app in question may rank high on Google. As long as your staff is only dealing with the main app stores, like Google Play or iTunes, they’re fine. Most of the bad apps that I read about come from less reputable stores.
Watch the hyperlinks in email. Places like UPS, FedEx, and the U.S. Postal Service are increasingly being spoofed. Copy the tracking number and then go to the website. Anything that says it’s coming from the government, like the Postal Service or the IRS, won’t have attachments.
The bottom line: You can’t be paralyzed by all the horror stories out there. In the end, you’re weighing your risks against the cost of mitigating those risks. Once you accept that, it becomes classic risk management. The kind of fundamentals discussed here are not expensive, and yet they cover 90% or more of the breaches, maybe 99%. Because what they do is attack the fundamentals.