There’s no reason to believe that Kaspersky was the only security software being compromised by Russian or other nation-state sponsored hackers. Because of the depths to which security software may go to search for malware, it’s entirely possible that similar software from other companies has also been compromised.
But as worrying as these revelations are, the next question is whether they really affect you. The disturbing answer is that they likely do. Even if you’re not a government agency or even a contractor for one, it’s important to know that state-sponsored hackers will go to astonishing lengths to steal your data they’re very patient. In addition, they can find patterns in seemingly irrelevant data that can help them reach their goal.
That means that if you run a small business, perhaps a dry cleaners or a hardware store, you can also be part of a state-sponsored hacker’s route for attacking its ultimate target. Just because you don’t do business with a government agency doesn’t protect you.
You might handle the dry cleaning and laundry for the spouse of a government employee and a hack of your records can yield financial information such as credit card numbers. It can also provide information on the activities of that spouse that can yield intelligence benefits when combined with other information from elsewhere.
If you do business with the government, then you’re a potential pathway for hacking into that agency and a possible route for exfiltration. Unless your connection to your government customer is secure enough, you could be the weak link that lets the bad guys in.
As you might expect, it can get worse. A breach of your own customer records is a problem that concerns you directly. Whether it’s a breach of convenience while the hackers are going after the next step up the line, your customer records, credit card numbers and have still been compromised. Or it may be that the breach is being used to cover up the larger breach of your government customer.
There are things you can do. One is to keep your customer data divided into different databases, so that no single breach will yield everything. Another is to require higher level of permissions to access certain types of data, such as credit card numbers.
You can also encrypt as much of the data as possible. At the very least, the wide use of properly configured encryption will slow the hackers down enough that they’ll be encouraged to go elsewhere.
And going elsewhere may be the best you can hope for. It’s unlikely that a commercial enterprise can stand forever against the concerted attacks by a state sponsored hacker, but at least you can send them to some other company. That might give you time to get out an alert, and to further lock down your files—and that’s far better than nothing.