Cyber Security: Are You Safe from Hackers?
One of the things that makes the green industry unique is how insulated it seems to be from the sweeping changes that new technologies have brought to other industries.
The lion’s share of our work is all done outdoors, away from the desk, and while many landscape companies have busy back offices, they exist to support the men and women in the field.
Some landscape contractors can be slow to adopt new technologies, so it’s tempting to think that we’re also immune to the dangers of digitization. We may have to worry about equipment maintenance, water restrictions and labor costs more than other businesses, but at least the hackers are too busy targeting Facebook and Google to come after us, right? Wrong.
Collecting data on cyber security is a tricky business, because many victims of cyber attacks don’t report them, to protect their reputations. However, the 2016 Internet Security Threat Report, recently published by cyber security company Symantec, found that 43 percent of last year’s phishing attempts targeted small businesses, compared to only 18 percent in 2011.
The Symantec statistics line up with a widely reported trend in the cyber security industry that small businesses are being targeted more and more by professional hackers. Many businesses don’t realize all the ways they are vulnerable, and even those that are aware often don’t take the necessary steps to protect themselves.
Ignoring your company’s digital security measures can be just as disastrous as ignoring your company’s physical security. So we’re going to go over a little Cyber Security 101, talk about how to recognize some common threats, and cover a few security measures that you can implement overnight to protect your business.
That starts with a clear evaluation of what you have that a hacker might want. “There’s certainly potential for the loss or theft of customer information,” said Kevin Stine, chief of the Applied Cyber Security Division at the National Institute of Standards and Technology (NIST) Information Safety Lab.
“That can have an impact on your reputation; it can mess up business opportunities as you deal with the fallout, and it can even impact your suppliers.”
Do you keep any customer information in your system, like names and addresses, or credit card info? What would happen to your business if this information was stolen or corrupted? How long would you be able to keep going if you could not use any of your company’s computers?
Hackers might encrypt all your hard drives, and then ransom your computers back to you for a fee paid in anonymous Bitcoin (digital currency). While they’re at it, they might take your information and sell it, damaging your company’s reputation and potentially opening you up to liability. Not to mention that paying the ransom does not guarantee you’ll get your data back.
There are a lot of possible vulnerabilities out there, but the good news is that you don’t have to worry about absolutely everything. Cyber criminals are playing the averages, so they might be spamming three million addresses every week, expecting only one percent of them to pay off. If your system successfully wards off an attack, it isn’t likely that the same person will try you again.
Of course, there are exceptions to that rule. If you’re a sizeable company or you serve the top end of the market, you’re a bigger target, and you may be worth a little extra effort. Some hackers take a ‘personal’ approach, and try to trick their way into your network the old-fashioned way, by convincing someone to let them in.
In cyber security circles, this is known as ‘social engineering’ and it works, because employees often don’t realize how low-key an intruder can be and still gain access.
Plugging a USB key into a computer, logging into the office WiFi, or noting the username and password that your office manager has taped to his monitor are all examples.
Stephen Cobb, senior security researcher at ESET North America in San Diego, California, says that one of the most common cyber attacks is wire fraud. In wire fraud, one of your employees receives an email that looks like it’s from you, asking them to wire you money urgently. “If it only takes one person to issue a wire transfer from your company and you don’t have to sign off on it, then somebody can be panicked into doing the wrong thing,” he said. “The FBI puts out warnings about this, because hundreds of millions of dollars are lost this way every year.”
According to the FBI’s most recent estimates, in the past three years, there have been more than 40,000 attacks using compromised business emails. The total cost of these attacks is estimated at $5.3 billion worldwide.
At this point, you may be feeling a bit paranoid, as if it’s only a matter of time until you suffer a loss, but there’s some good news. First and foremost, while there is a large industry devoted to attacking, there’s an even larger industry devoted to defense.
Both software and hardware manufacturers have a strong vested interest in making sure their products are secure. If a company gets a reputation for its products being full of vulnerabilities, then people will stop using them. The largest companies find and patch security holes within hours of the first hacker exploiting them.
Plus, with cyber security, as with regular business security, your system doesn’t have to be totally impregnable for you to be safe. After all, locking up your business at night, keeping valuables out of sight, and installing security cameras will not stop a determined burglar. However, enough security will deter most, and they will likely move on to easier targets.
Firming up your digital security isn’t hard, and a few simple steps can go a long way toward avoiding a serious problem. A good place to start is making sure that all of your software is up-to-date. If a program has missed a security update, that means there is a known vulnerability in the software, and it could be hacked.
“Something we see in small businesses is that they buy computers with an anti-malware program on them, but the owner doesn’t realize that the program hasn’t been updated for a year, and it’s not active anymore,” said Cobb. If it’s not up-to-date—or even turned on—it isn’t doing you any good.
It’s also worth noting that many free anti-malware and anti-virus programs are only intended for personal use, and the license agreement prohibits using it to protect your business. Paying for anti-malware, on the other hand, typically gives you access to customer support, so you’ll have someone to call if things go wrong.
Most software updates automatically so long as the device it’s installed in has an Internet connection, but it’s worth making sure, even for software that you don’t use a lot. Just because you aren’t using a bit of software doesn’t mean it can’t be hacked, and a hacker may be able to escalate that access to gain full control over the device.
That risk has been highlighted in recent years by attacks on gadgets which have onboard WiFi, known collectively as the Internet of Things (IoT). Last year, a botnet (a collection of Internet-connected devices that are infected and controlled by a common type of malware) took down a DNS service— an important structural component to the Internet—on the East Coast. Popular services like Twitter and Netflix were down for several hours.
Web-enabled smart controllers are part of the IoT, and Cobb has some advice for contractors in search of safe controllers. “You’ll want to ask what services are running on the device, because nonessential services are a common angle of attack. There have been a lot of attacks on cheap DVRs, because a number of the manufacturers left the telnet service running on them, and that’s very unsecure.”
It’s also worth asking if the device connects straight to the Internet with its own IP address, or runs through a router. A router provides its own layers of protection, so a device that can connect without one will need an extra layer of protection. The biggest red flag though, is a hard-coded password. “You might ask why anyone would do that, but some manufacturers put them in as a backdoor, for upgrades or maintenance,” he said. A backdoor for the manufacturer can be used by a hacker as well, and because it’s installed on many devices at once, the hacker is more likely to find it.
Once hackers get into a system, they will usually try to escalate their control, and gain full control over that computer, and any computers networked to it. This escalation is usually the result of a failure on the part of the software’s design to follow what is known in IT circles as ‘the principle of least privilege.’
The idea is that a program should only have access to the things it needs to run. The calculator on your phone shouldn’t be trying to access its camera, or its password. That way, if there’s a malware that can take over your calculator, it will only be able to calculate, not give a hacker your password.
The principle of least privilege applies to anyone with access to your computer systems as well. If you wouldn’t let a new hire drive one of your trucks, why would you let him use the computer that has your billing information on it? There are good reasons for your foremen to have access to your office computer, such as to verify employee timecards and go over work schedules. But there’s no reason why they should have admin permissions on that machine, which would allow them to install software.
Some of your employees may take a change in permissions as a sign that you don’t trust them, or that you think they’re goofing around and playing solitaire when they should be working. So, it’s a good idea to make it clear why you’re doing this, and tell them how a hack could affect the company, and everyone’s livelihoods.
That talk is an excellent opportunity to encourage them to practice good security habits as well. After all, the best security software in the world can’t protect you from yourself. Threat awareness is a key component to any cyber security program.
There’s a good chance you’ll find that your employees will jump at the chance for a little cyber security training. Everybody has security concerns on their own machines, or gets suspicious emails, and getting a solid grounding about what is and isn’t safe will make them feel better at home as well as at work. NIST and ESET both offer free online learning tools for small businesses, and it’s worth asking your anti-malware provider if it does as well.
Most people know not to open any email attachments if they look even a little fishy, or not to download anything from a pop-up window. However, they might not know to check the URL, and make sure they’re logging into ‘wellsfargo.com’, and not ‘wellsfargo.us’. The first is correct and proper, but the second is likely to be a phishing site, designed to snag your bank credentials.
While we’re on credentials, having a strong password is also important. I can hear you groaning now, but don’t worry, this is not going where you think it is. You probably already know the rules to creating strong passwords: longer than eight characters, includes upper and lowercase letters, includes at least one number and one symbol. Funnily enough though, ‘strong’ passwords are only marginally harder to crack than easy passwords, and they’re much harder to remember.
The better solution is to use a passphrase. Consider these two passwords: ‘@Bo9#N4(A7)Ow9Ke’ and ‘eat 2 squirrels heavily under chartreuse candy buttresses’. The first password is hard to crack, true, but it’s longer than any other password you’ve ever used and it’s difficult to type. The second password, which is actually a passphrase, is pretty easy to type, memorable, and harder for a computer to guess than the first one.
There are a few guidelines to follow with passphrases. They should not be obvious, or straightforward (‘This is the password I use to log in,’ for example), they should be memorable (you wouldn’t want to forget yours!) and they should not be famous. Resist the urge to quote your favorite movie line, and get creative.
The other caveats of good password use still apply to passphrases. Don’t leave it out in plain sight, don’t use one passphrase for everything, and longer is better. Passphrases should also be changed periodically, to limit how long any successful hack will haunt you.
Taking some precautions will put you well ahead of the pack, but it’s just as important to have a recovery plan in case your system does get compromised. Any data that is critical to your business should not exist on only one hard drive. After all, even if you’re hack-proof, hard drives fail.
Ideally, you want an off-site backup, so that if your building floods or burns down, you don’t lose all your data. You also want your backup to have as little contact with your network as possible.
One hacked machine can compromise your entire network, so if your backup is constantly checking in, it might be compromised as well.
If you’re still concerned about locking down the digital side of your business, rest assured that we have only scratched the surface here. Find a security blog with a good reputation and start reading its overview or introductory pieces. Learn about the do’s and don’ts of firewalls. Read up about intrusion detection, two-factor authentication and what the most common digital attack vectors are.
Your business doesn’t have to be the hardest target on the block. Even implementing half of the measures we’ve covered here will put you ahead of the game. A little time spent now on security awareness is an insurance plan that costs you nothing. If only all our insurance costs were so low.