If Target can't protect itself from hackers, what can a small business like mine do to protect itself?
The revelations from the recent
Target breach that exposed between 70 and 110 million customer's personal information have many small business owners asking this same question.
If Target, with all their resources, can't keep hackers out, how can a small business ever stand a chance?
The good news is that unless you're a high-profile target (pun intended), your biggest exposure is from random acts of hacking because you made it easy or you have lax security standards within your internal network.
Let's start with one of the most common holes that we see with the small businesses we work with:
Just about every business benefits from the ability for its employees to access the company network from home or from the road, but when done wrong, it's an open invitation for hackers.
Commonly used remote access tools such as Microsoft's RDP (Remote Desktop Protocol) are highly targeted by hackers because of the known vulnerabilities and the tendency for many to use the default settings to get it setup.
Not keeping your remote tools patched with the latest updates is a sure way to be randomly targeted because the hackers know how to go around the Internet sniffing for remote access terminals (kind of like in the movie War Games).
Using default port settings and allowing unlimited password attempts is another way to allow hackers to quietly nibble away at your remote access terminals until they get in.
The worst case of this that I've seen in recent times was an optometrist's office that was compromised via their RDP connection and held hostage by the hackers who moved and encrypted all their data.
In actuality, the single biggest security threat to a small business network is the
humans that use it every day and the hackers know this very well.
That's why so many booby-trapped e-mail messages are sent out every day to millions of businesses; they just need one of your employees who haven't updated their system to fall for their tricks and they're in.
They also know that most small businesses do a poor job of protecting their data internally, which means if they can compromise one system, they'll likely have access to all the company's valuable data through that terminal.
Allowing employees who use their personal laptops and mobile devices is another point of exposure for many businesses because the security and updating is controlled by the employee, not the IT staff.
One of the simple things that you can do is limit what each employee has access to and for very sensitive data, use some form of data encryption.
Random hackers like easy targets, so throwing roadblocks at them will cause them to go pick on someone else.
Limiting access to sensitive data and encrypting it can also help fight internal data theft or damage caused by a disgruntled employee.
Every business is different and has various potential holes from weak passwords to bad choices in antivirus protection suites or a gaping hole created by connecting data between two systems, so
having a security evaluation performed periodically is a good idea.
Data breaches are a fact of life in the digital age but minimizing your exposure isn't really that difficult if you make it a priority.