Trojan horses and secret-selling, pirates and plundering: Today’s threats to cybersecurity sound more at home in history books than in headlines.
Security analysts say the war against hackers and online criminals can never be truly won, but there are steps small-business owners and individuals can take to protect themselves from becoming easy targets for digital marauders.
“One thing overall that’s important is to be aware of risks but not be overly paranoid,” said Jonathan Katz, computer science professor and director of the Maryland Cybersecurity Center at the University of Maryland. “Criminals look around and try to find an insecure network. They’ll go for the weakest link by scanning hundreds of commercial sites. You don’t want to be one of the weak ones.”
According to the Privacy Rights Clearinghouse, more than 4,200 data breaches jeopardizing more than 820 million digital records have been recorded since April 2005.
One of the threats to individuals and small-business owners are breaches of personally identifiable information, said Randy Marchany, the university information technology security officer at Virginia Tech. That includes Social Security numbers, credit card numbers, passport information and driver’s licenses.
“There is definitely a black market for that information,” Mr. Marchany said. “If I had a credit card number, or a bank account number, I could do a lot of damage in a short amount of time.”
SEE ALSO: PRIVACY: Liberty vs. security in post-9/11 world
When it comes to being cybersecure, individuals and small businesses have to take responsibility on their respective sides of the computer.
For the average consumer, Mr. Marchany said, “you want to definitely make sure you have an encrypted connection between you and a website.”
With wireless becoming the mode of connection, Mr. Marchany said, it’s much easier for hackers to access information sent between computers. Before wireless technology, hackers needed a plug-in, he said. “Now you just need an antenna.”
Even when a connection is secure, computer users need to be aware of how they share information.
“There’s no reason for anyone to ask for your password,” he said.
Even if a request or instructions seem legitimate, he said, it’s still a good idea to call the company’s help desk before sharing information such as a credit card number or Social Security number.
“Call them back,” he said. “Don’t do it over the computer.”
As for passwords, Mr. Marchany said, use a long phrase, song lyric or quote that is easy to remember. These types of passwords are harder to break than a single short word. Rather than trying to remember a bunch of different passwords, simply add at the beginning, middle or end an associated word such as “GreenEggsAndHamAmazon” or “GreenEggsAndHamVisa.”
The site where your password is saved, particularly where important personally identifiable information is stored, should be responsible enough to not store that password unencrypted, Mr. Marchany said.
“On the one hand, as a consumer you have to be careful when you go to online sites,” Mr. Marchany said, but on the other, it’s a business owner’s job to “take all known steps to [protect] the data they collect.”
“The first thing I would say to any business is have backups kept on a machine, preferably off the Internet,” Mr. Katz said. “In the event of an attack, or [information] is corrupted, or stolen, then you can recover from the attack afterward.”
For small businesses in particular, Mr. Katz said, it’s often better to get outside help to handle the security details.
“Some businesses have that expertise, but outsource this as much as you can,” Mr. Katz said. “You don’t have to worry about it all. Unless you’re a computer expert, you either want to hire somebody or contract out to manage security.”
A company needs to protect two types of information: that from the business and from the network accepting electronic payments. “You need to make sure customer data is secure,” Mr. Katz said.
Companies don’t necessarily need the Fort Knox of cybersecurity systems, Mr. Katz said.
“If you’re a small company, attackers aren’t trying to go after you specifically. They’re looking opportunistically,” he said. “It’s like if you have a bunch of stores on a street with rudimentary locks and you leave your store unlocked. Make sure you’re meeting the basic notions of security so you’re not low hanging fruit that attackers can pick on.”
Tudor Dumitras, an electrical and computer engineering professor who also works at the Maryland Cybersecurity Center, echoed his colleague’s advice.
He warned against downloading anything from an unknown source and not clicking on a link with an unfamiliar source.
“It’s sort of cyberhygiene,” Mr. Dumitras said. “They don’t prevent attacks 100 percent, but they will reduce their likelihood.”
Those attacks are just as hard to predict, Mr. Dumitras said.
The trend several years ago consisted of widespread breaks with the goal of reaching as many people as possible, but “now we see attacks that are sort of targeted, crafted for a very specific goal,” Mr. Dumitras said.
“It’s not very clear to me if small businesses are affected by this yet, but I think they will be,” he said. “These trends tend to change year to year, month to month. In general, cybercrime is a business. It’s been a business for over a decade now, where cybercriminals are doing it for profit rather than for fun.”