A repost of an earlier blog that I wrote a few years back.
In the back of the Pizza Schmizza restaurant in Vancouver, Washington sat humming an old computer. An unwitting customer would walk into the restaurant to order a slice of pizza, and the next day his credit card number will go on sale at a hacker’s forum. A few years and millions of dollars later, the FBI learned the root cause of the breach: The computer was running old unpatched software, which made it remotely accessible without a password by a hacker Max Butler (aka “IceMan”) (as detailed in Kevin Poulsen’s book “The Kingpin”).
This story is not unique. We often hear of security compromises of large companies such as Sony or TJX in the news, but we don’t hear about daily compromises of thousands of small to mid-sized businesses. One of the reasons is that many of those businesses, such as startups, motels, mom and-pop shops, pizza shops, never find out that they were compromised in the first place. Another reason is that disclosing these compromises can often be catastrophic for their survival. According to a study from Price Waterhouse Coopers, 70 percent of smaller companies that get hacked go out of business within a year.
Smaller businesses often have no security personnel on staff. They prefer baking pizza or building a UI prototype for investors rather than fixing security holes. They think that they are too small to get hacked and that they have nothing to lose or that security is a distraction, which is too time-consuming and too costly. Others argue that their biggest security risk is “running out of money.”
In this article, we dispel these misconceptions. We show that security is both important and achievable for smaller companies without breaking a bank.
Why Should You Care?
If you think your company is too small for hackers to notice, think again.
Most home invasions don’t happen in castles with moats and armed guards, but happen in regular houses next door. Similarly, majority of security attacks in 2011 decreased in sophistication and targeted smaller businesses. Your company is the target and there are two reasons you should be worried.
First, regardless of your company’s size, it all boils down to its reputation.
Customers need to feel you will do a good job protecting their personal data. If you don’t then they will take their business elsewhere. Depending on what information is exposed, you could also be a subject to expensive government fines.
Second, the phrase "time is money” is true here. Let’s assume you are an owner of a small startup, which doesn’t store any customer data or intellectual property, and then one day you get hacked. How much damage do you suffer? Most typically, you will hear the answer “none” which is why security is never a priority for these companies. In reality, you will have to repair your systems, find the cause of the breach, possibly reinstall operating systems, etc.- all of which can take months. For a small startup, not focusing on their core product for months could be tantamount to a bankruptcy.
What Can You Do?
Despite what vendors would like you to believe, you don’t need to buy their security technologies to protect your company. You can become a more secure company for free without impeding business agility. I now describe six simple rules for achieving that.
1. There needs to be an executive buy-in for your security strategy to be successful. Many companies hire a CISO and think they magically became secure. A year later a frustrated CISO quits and they get hacked because security is always put to the side of business objectives. When there is executive buy-in, your CISO will have the backing to get things done. Hyundai Capital CEO Ted Chung said, “IT security needs a philosophy and only the CEO can make that kind of a decision.”
2. Make sure that no weak or default passwords are used in your company. In 2011, almost half of the data breaches, reported by Verizon, involved weak or stolen passwords. Don’t assume that stringent password policies ensure your employees will select good passwords. Often users choose a dictionary word or a company name and add “123” or “!” at the end just to satisfy a password policy. Any hacker worth his salt knows these tricks and will circumvent them. Teach your users how to use mnemonics to generate secure passwords (e.g. a phrase “I love chocolate 24x7!” results in a secure password Ilc24x7!”). Wear the bad guy’s hat for a day and try to break into your company’s servers. There are many free tools available, such as Hydra (http://www.thc.org/thc-hydra/) that you can use to brute-force guess the passwords.
3. Institute security awareness training for all company employees.
No computer in the world operates without some form of human intervention. That’s why security education should be a pivotal tool in the security strategy of any company. Security can be a very dry subject. Have some fun with it! (Don’t tell people that it’s dangerous to download malicious attachments. Show them a screenshot of a user downloading Hallmark greeting card on his computer, and a screenshot of a bad guy across the globe getting access to user’s computer as he opens the greeting card.) The awareness training should be mandatory for all employees, which will be easy to achieve if you follow recommendation #1.
4. Contrary to what security vendors want you to believe, there are plenty of free alternatives to commercial products. To give a flavor:
- Immunet offers free anti-virus (http://www.immunet.com/main/index.html) which you can install on all your computers.
- Snort is a free intrusion detection system for your network, albeit it could be tricky to properly configure (http://www.snort.org).
- TrueCrypt offers full-disk encryption for your employees’ laptops for free. (http://www.truecrypt.org)
- You can perform static analysis of your source code for security bugs using YASCA (http://www.scovetta.com/yasca.html)
The list goes on, but it illustrates that most security products have free counterparts.
5. Secure coding training for developers.
If your company develops its own software, make sure to train all developers on secure coding principles. Familiarize them with the OWASP Top 10 (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) list of web application security bugs.
6. Finally, stay proactive. When people started leaving laptops unattended at Cinchcast offices, we began walking the floors and taking the laptops away. When we felt that people aren’t engaged enough, we established a “security champion award” for the person outside of Security team, who contributed the most to company’s security. At Gilt Groupe, we set up a “Hack Day” where any employee is challenged to break into the company’s website in order to win the coveted IPad. By engaging people, we managed to thwart many attacks.