Verizons annual “Data Breach Investigations Report” includes some sobering findings that show just how pervasive social and political hacking has become. So-called hacktivism was responsible for 58 percent of all data stolen in 2011. Nearly 80 percent of attacks were opportunistic, and most significant of all, 96 percent were avoidable.
The primary motive for external data breaches was financial gaincompanies were hacked to get at credit card or other personal data that could then be used to steal money, secrets or other valuable resources, according to the report.
But thats not whats really scary.
Buried deep within the Verizon report (scroll down to page 61 if youve followed the link above) youll find a section on recommendations, and there youll find a simple pie chart showing that the fixes for 63 percent of all organizations are simple and cheap. Most of the rest are a little harder, but they are still within the capabilities of even the smallest companies.
Worse, the preventive measures are things that security experts have been saying for more than a decade, starting from the days of the first viruses and the first efforts at social engineering to distribute malware.
The simplest solution of allbuy a firewall.
Apparently, small businesses around the world simply havent been paying attention and still havent gotten even the most basic message about security. That message is simple: A firewall makes it harder for a hacker or automated malware to break into your computer, and if its hard to do, then the vast majority of opportunistic hackers will move on to the low-hanging fruit of unprotected computers.
The secondchanging the defaultsis even cheaper because it costs nothing, and the people who sell firewalls have tried to automate the process for you when you set them up.
That means dont use the default service set identifier (SSID) on your wireless router (seeing a router named Linksys tells a hacker that you havent changed anything including the password), turn on WiFi Protected Access (WPA) encryption, and change the password. If you follow the instructions on that one-page getting started poster that comes with wireless routers, the built-in wizard will lead you through all this.
For small businesses, the third step should be a no-brainer, but apparently its not.
POS Systems Are a Weak Spot for Small Businesses
Change the default password on your point-of-sale (POS) system.
This means the computer you use as a cash register and to process credit card payments. Hackers already know the default administrative passwords, and if you havent changed it, then they will break in and steal your customers information, like their credit card numbers. The Verizon people even created a cutout card that people can take to their merchants outlining these steps.
The POS system is apparently a real weak spot for small businesses. Apparently, small businesses dont change passwords, but they do use the devices to browse the Web. Theres never a reason to do this, and if possible, software for accessing the Web for anything other than credit card processing should not be on these machines. While youre at it, you should make sure that whoever services your POS system has it set up so its compliant with the Payment Card Industry’s Data Security Standards (PCI DSS).
Things are a little more complex for larger companies, but that doesnt mean that theyre any less basic. Once again, the list of things to do includes changing default passwords and other security settings. It includes implementing a firewall, which should already be in place in every company, and setting it up properly, and changing passwords on even the suspicion of a breach.
Some suggestions are clearly for larger organizations that have routine calls by service vendors, but these can also apply to smaller business.
For example, you should confirm that the service representative that shows up at your door is actually who they say they are. One way to steal data is to have a fake service call in which the only service is to attach a USB memory stick into a handy USB port and stealing information that they cant otherwise hack into. It helps to insist on scheduled visits from your service vendor. That way, you know that when someone just shows up at your door and says theyre there to service your POS system, you know you can probably send them away, unless you want to call the police first.
I know it sounds repetitive, and I know that weve been harping on these steps for years, but the fact is that theres a reason that virtually all data breaches would have been easy to prevent. That is because people who should be taking steps to protect your companys data arent doing their jobs. None of this is rocket science, and companies that fail to take even these basic steps should be held accountable for their reckless handling of personal information. Likewise, employees who fail to take even these basic steps should have their continued presence in your company evaluated.
Ask yourself: Do you really want an IT guy in your company who cant or wont change your firewall passwords? I didnt think so.