I’ll never forget the morning I woke-up and discovered that my website had been attacked. It was an embarrassing moment that also had me feeling violated. Why hadn’t I taken the extra steps to ensure that my site wouldn’t get attacked? Why would someone do this to me and my small business?
I’m a startup, just like a lot of the people reading this post.
“This event was off the charts”
Gary Vaynerchuk was so impressed with TNW Conference 2016 he paused mid-talk to applaud us.
After I got over the initial shock and woe-is-me moment, I had to start getting to work to repair all the damage that had been done. That action in itself was another headache that I’d prefer not to get into right now.
The fact of the matter is that I am not the only one that has had to deal with this experience. Far from it. There have been countless amounts of startups and businesses of all sizes that have been attacked.
But, startups seem to be frequent targets when it comes to cyber attacks.
In 2015, companies like Snapchat, Twitch, and Slack all made headlines for being attacked. The common consensus was that startups have made themselves targets. Even more important for myself and everyone else reading this, nobody is really safe from an attack. Eventually it’s going to happen in some form to you.
Tripp Jones, a general partner at the venture capital firm August Capital, told The New York Times‘ Bits blog that “When a company reaches a certain size or notoriety, it’s going to get hacked.
“Unfortunately, until someone comes up with a better way, the battle has shifted to identification, containment and damage mitigation.” Jones also added, “It’s a big, big problem.”
It’s not just the startups who have gained notoriety who have been attacked. Lesser known startups have also been victimized by hackers.
Stephen Cobb, a senior security researcher at antivirus software company ESET, says that startups and small businesses are targeted because they fall into hackers’ cybersecurity “sweet spot.” This means that have more digital assets, such as client payment information, than the average individual, but they also have less security than larger enterprises.
Tower Insurance also backed this statement up by discovering that “60 percent of targeted attacks in 2014 struck SMEs.” (Small to Medium Enterprises.) Besides lack of security, small businesses are not as informed nor as prepared for an attack. In fact, an astounding 97 percent of smaller companies have not prioritized security.
Even more troubling, 82 percent of respondents believe that they won’t be targeted. Network security is also in the top five concerns that businesses are investing into this year. I get asked about block chain security all the time, even it has it’s problems. We’ve found that even cryptocurrency has had significant problems that need to be addressed. Most of these attacks can and should be avoided.
Startups generally lack the funds it takes to defend themselves from cyber attacks, this is why it’s imperative that your startup has a disaster recovery plan to handle a security breach.
How attacks happen
It’s important to understand how security breaches happen. In most instances, it’s because of one of the following reasons:
Default or easily guessed usernames and passwords that give access to publicly accessible administrative panels or VPN access into a corporation’s network.
A flaw in the operating system or software that makes it vulnerable to a breach.
Social Engineering attacks via phishing emails containing a malicious link or attachment.
Once inside of business’s network the next goal of an attacker is to gain persistence and elevate privileges.
Ingraining themselves in such a way so that they blend in with the rest of the “noise” happening on the network so they go undetected. Attackers will then perform reconnaissance to understand the day to day internal operations of an organization and where sensitive information is stored.
Depending on the overall objective of the attacker they could spend a short time inside of the network until they gain the data they want, or use the network to tunnel their traffic to launch an attack against another organization.
This makes attribution to the true source of the attacker much harder to discover.
Protecting your startup
Cyber attacks aren’t just an annoyance. They can be a costly threat to your company.
How threatening? Well, research that was conducted found that cyber attacks “cost small and medium-size businesses an average of $188,242, and almost two-thirds of victimized companies are forced out of business within six months of being attacked.”
You can protect your startup by implementing the following measures immediately at your startup:
Create a cyber security plan
Does your startup have a cyber security plan? If not, you’re not alone. Since a majority of startup owners believe that they’re safe from cyber attacks, why would they bother creating and managing such a plan?
Just as you would in most other aspects of your business, you should always have a plan in place that can be used to guide you when the worse case scenario occurs.
To create your cyber security plan, focus on these simple five steps:
- Identify the information that needs to be protected, such as all of your accounting records and client information.
Protect your information by implementing two-factor authentication, patching systems, and locking employee devices and your network.
- Install tools, such as anti-malware and antivirus protection, that will detect threats and monitor your systems.
- In most cases, the software used to detect any threats will also respond to any threats automatically. If your software doesn’t take care of a threat automatically, then make sure that you have a standard operating procedure in place to squash any further issues that may occur. Consider updating your software.
- Also include a disaster recovery plan that addresses “what tools, actions or partner will be responsible for recovering systems and applications.”
- Next, I like to have someone familiar with the site, architecture and security behind the website that can help you out if and when you get hacked. This is someone that will help you at a moments notice and is familiar with how things should be.
Remember, even the those startups and businesses with top-notch security are also vulnerable to breaches.
Having a plan in place to handle these breaches will soften the blow from compromising your business further than it would otherwise be compromised and give you the power to bounce back quickly.
Educate and train employees
Steve Cullen, senior vice president of worldwide marketing SMB and Cloud at Symantec, tells Entrepreneur, “You shouldn’t be the only one vigilant about protecting you and your customers’ information.” Cullen adds, “Your employees should all be on the lookout, and you as a small-business owner should be there to give them some guidelines.”
Share your cyber security plan your employees, as well as a written policy about data security which outlines acceptable online behavior and limitations on usage of personal devices on the company’s wireless connection. Have frequent security meetings and keep employees on the latest possible security threats.
In an interview with Brady Bloxham, President of PhishThreat, mentioned that, “Realistic threat simulation is key to achieving success in a security plan. Just telling our employees to be aware of phishing emails isn’t enough. We need train them through realistic attack scenarios what to look for.”
Encrypt your data
Cullen also says, “Anytime you’re storing important data, when the data is at rest — which means it isn’t being transmitted over the internet somehow — you want it encrypted.” This data includes everything from bank routing digits, credit card accounts or employee social security numbers.
You should also consider encrypting you and your employee’s emails, especially if you are transmitting sensitive information. Many of today’s large email providers give organizations the ability to implement email encryption. Going one more step further organizations can consider using a service like Silent Circle to encrypt text messages and phone calls.
If you’re new to encryption, Slate describes this as:
“In simple terms, encryption relies on mathematical algorithms to protect the security and integrity of data as it is transmitted or stored on devices. Encryption is the process of combining the contents of a message (“plaintext”) with a secret password (the encryption “key”) in such a way that scrambles the content into a totally new form (“ciphertext”) that is unintelligible to unauthorized users.
“Only someone with the correct key can decrypt the information and convert it back into plaintext. Encrypting data doesn’t stop someone who is not the intended recipient of a message from intercepting it—but it helps ensure that he won’t be able to decipher it if he does.”
Follow best security practices
While having a plan, educating employees, and using encryption are all ways to prevent threats, you should also practice the best security techniques such as:
- Don’t rely on just any passwords. Use two-factor authentication or biometrics instead. If you do use passwords, never reuse the same password and make sure that they’re unique.
- Use separate devices for personal and professional devices. For example, don’t check your personal Facebook page on the company phone, tablet, or computer.
- Secure everything from your browser, operating system, and router. Don’t forget to also secure your hardware like shutting down your smartphone remotely if it is lost or stolen.
- Outsource payment processing to a researched and reputable vendor.
- Do your homework when selecting vendors. For example, when dealing with ecash or selecting credit card processor, make sure that they comply with all Payment Card Industry Data Security Standard (PCI DSS) requirements.
- Avoid using public Wi-Fi networks. If public wifi is your only option, use a VPN service to encapsulate and encrypt your traffic.
- Encrypt all of your backup data as well, and keep it off-site.
Finally, make sure that encrypting your data doesn’t impact any of your security products.
Cisco’s Gavin Reid suggests that you “gather headers and other non-encrypted parts of the data stream and combine it with contextual information and analyzed encrypted traffic to pinpoint signs of malicious activity.”