Avoiding Malware

Protecting business systems and networks is every business owner’s responsibility.

The letter you never want to write to your clients begins… “We are writing to make you aware of a data breach that may have affected your personal information and credit card data…”

Many small business owners tell me that “hackers would never want my company’s data.” They will say, “The hacker wouldn’t get anything of value.” Really? Isn’t your client’s name, address, email address and credit card information of value? It certainly is to your client—and they really don’t appreciate you not preventing unauthorized disclosure.

The Costs of a Malware Infection
How much can a malware infection cost your business? One local retailer’s network was compromised by a single piece of malware, resulting in the theft of nearly 35,000 client credit card numbers. This retailer didn’t know about the intrusion until MasterCard notified them they wouldn’t be allowed to process credit cards until the problem was fixed. MasterCard required the retailer to obtain a third-party Payment Card Information (PCI) audit and network penetration testing, which exceeded $15,000 in direct retailer costs. While the problem originated from malware, it was exacerbated by the lack of a properly-secured, PCI-complaint business network. All of this could have been avoided with the proper implementation and management of antivirus software and an appropriate network security solution.

A serious malware infection can not only destroy your business’ reputation, it can cost thousands… even millions of dollars. The costs of compromised data may include: the cost of alerting clients to the breach, paying for client credit monitoring services, reimbursement to the credit card brand, potential lawsuits and much more. The well-known Target data breach in 2013 resulted in more than $60 million of direct losses and hundreds of lawsuits. A 2014 study by IBM and Ponemon Institute demonstrated the costs of data breach per client is an average of $201 per record compromised.

Outside of highly sophisticated, industry-specific attacks, such as those recently at Sony and Blue Cross Blue Shield, most attacks are not targeted to a specific business. Every computer and network connected to the Internet is a target—a potential treasure chest in the mind of the hacker. Hackers are data vampires, pickpockets and pirates! They have no idea what is in the wallet or what data is useful to them until they have successfully penetrated the network or business system.

Do Not Enter
Never give the vampire permission to enter. Prohibiting a hacker from entering in the first place is the most effective means of protecting business and client data. Most network penetrations and data compromise are the result of malware being installed by the business owner or an employee. Hackers use many methods to get their malware installed, but social engineering is among the most effective. This often involves the hacker persuading users to comply with his or her wishes by convincing them that something is wrong with their system or that there is some benefit to the user in doing what the hacker wants (your browser needs to be updated, your Java is out of date, etc.) The message may come in an email or web advertisement which looks very legitimate. Once the user clicks on the link, the process of infection has started. The user has given the hacker permission to enter.

Antivirus: Not Enough
Antivirus software is not enough. In December 2014, Kaspersky Labs was processing more than 325,000 new malicious files each day. As such, no antivirus software is 100-percent effective, and none are capable of keeping up with the sheer number of new threats which hit the Internet daily. In addition, antivirus software is just one of the many components essential in protecting business data, systems and networks. So unless you are a technology professional familiar with these constantly-changing threats, you should seriously consider engaging a third-party technology service provider to help protect you.

Many small business owners think they can do it all themselves. They often rely on “a guy” or a trusted friend to help them when they have an identifiable problem. But the problem isn’t always the easily identifiable problem; it’s often the unidentifiable or unknown problem. The fact is, 85 percent of small businesses have one or more computers on their network which are infected with malware or viruses.

The stereotype of a hacker being an unknown guy in his basement is simply inconsistent with the real profile of the modern hacker. Today, hackers operate in somewhat traditional business environments. They go to the office, sit in a cube, and strategize with their colleagues on how to make their nefarious employers more money. Their profits come from stealing the intellectual property and personal information of others. Hackers are marketing experts who have proven effectiveness in the nearly $500 billion in estimated global costs in 2014.

Protecting Your Business Systems
Protecting business systems and networks is every business owner’s responsibility. While there are many aspects to keeping your business systems safe and secure, here are 11 essential elements to help protect your small business information systems:

1. Have a secure Internet connection and real business firewall/unified threat management.
2. Have software firewalls installed and activated on all business systems.
3. Ensure all operating systems and software are fully patched at all times.
4. Have a secure backup of critical business data (with revision control), on-site and off-site.
5. Maintain controlled physical access to business computers and network components.
6. Ensure you have current, updated antivirus solutions deployed (not the free version).
7. Have an effective spam filtering solution.
8. Have only secure wireless access points and networks.
9. Have isolated wireless networks/business systems and guest networks separated.
10. Proper employee training on email and network security is essential.
11. “Password” is not a password. Change your passwords regularly and use complex passwords. iBi

Corbett Speciale is the president of TEKEASE, a managed services provider in Peoria. He is a former special agent and criminal investigator for the Department of Defense, where he investigated numerous computer and Internet-related crimes.