Last month, I ran out of space while talking about security (I get about 1,000 words each month to make my point, such as it is). I mentioned that usernames and passwords protect access to a website. I also pointed out that, by default, any information you send from your browser to a website is “in the open.” Remember, data you send over the Internet is broken down into packets and routed over other networks to their destination, where the packets are reassembled into, say, a video stream. So, potentially, anyone connected to those networks (including the one you are on) can see your information going back and forth. The Secure Sockets Layer (SSL) protects information (like your Social Security Number) by encrypting it while in transit.
The thing I didn’t have enough space to mention is this: When you’re typing that sensitive information into a form in your browser, it’s vulnerable to being snagged by a program called a “keylogger” (resident on your computer), which captures the information typed on your keyboard and can send it to whoever owns the keylogger. So, it’s important to make sure your computer itself is secure and not running any programs of which you’re unaware. Most good anti-virus software (for example, AVG Free, which I recommend and which is free) will detect a keylogger or other malware installed on your system.
The other thing that got cut due to lack of space was to remind you to be especially careful when using public WiFi hotspots with your phone, tablet or laptop. Because everyone connected to that hotspot can see your data in transit, it’s especially important that you not log into a website without a secure login. Up until recently, Facebook, Google Mail and other popular sites didn’t do this, and people’s usernames and passwords were getting stolen. Worse, since most people tend to reuse usernames and passwords, it opened their other accounts to attack as well. So, if you’re on a page requesting your username and password, it’s a good idea to first make sure it’s the site you think it is, and second, make sure your browser is displaying a padlock icon, indicating a secure link.
To be sure, staying secure is mostly common sense. For example, if you find a USB key lying on the ground, do not take it home and plug it into your computer to see what’s on it. It’s believed this was how the Stuxnet virus was introduced into Iranian nuclear processing facilities. Similarly, visiting sites that traffic in porn, drugs or bootleg music is a great way to infect your computer with who-knows-what. Be skeptical when following links in emails or downloading software from unfamiliar or sketchy websites.
As we conduct more of our lives online, understanding the basics of computer security isn’t just smart, it’s a necessity. If you’re a business, it’s worthwhile to make sure you and your staff have a basic understanding of how to stay secure—your IT provider can probably help. Business computers are frequently infected when employees transfer data between their less-secure home computers and their office machines, or use their company laptop on the road or at home. And of course, hilarity ensues when an employee loses a laptop with sensitive data.
All this focus on security for small businesses is more important than you might think. The Wall Street Journal just reported on a 100-employee business that lost $1.2 million to cyberthieves in a matter of hours, despite having some security measures in place (a firewall and antivirus software). If you access your business bank accounts online, you’re probably just as vulnerable as they were.
The basic takeaway from this theft is that online transfers out of your bank account above certain limits (amount and daily frequency) should require the bank to actually speak with someone at your company who’s authorized to approve the transaction (the above theft consisted of four online fund transfers). More details are at tinyurl.com/techtalk2012-09.
Businesses tend to think they’re safe because they have a firewall (of some sort), which will only let certain data pass from the Internet onto your network (and vice versa). Most firewalls, however, are set up to permit HTTP (web) and SMTP (email) traffic access. Since email and web access are essential parts of doing business, having a firewall isn’t quite as reassuring as you might think. Employees on your network can easily (albeit unintentionally) download malware, visit a phishing site (one that looks like a legitimate site) or open an infected attachment. And a firewall does no good if you don’t change the default password (yes, I’ve seen this in the real world).
Antivirus software can prevent a computer from becoming infected, but it needs to be installed on every computer on your network and regularly updated. Even so, antivirus software may not see a brand-new piece of malware as a threat. The good guys are nearly always a step behind the cybercriminals, and most successful attacks are unreported by their victims. The story above is a notable exception.
Finally, the physical security of your network is also critical. Anything—a laptop, USB drive, DVD or CD-ROM—that can be plugged into your network is a vulnerability. The sad news is, that includes people. The $1.2 million theft I mentioned may have been the result of an employee inadvertently using the company’s bank login on a phishing site. Don’t rule out an inside job, either. Many usernames and passwords live on Post-It notes in office desk drawers.
It’s a good idea to understand exactly what your situation might be if you were the victim of cybertheft. Don’t assume that your insurance will cover it or that your bank is liable for your losses: Talk with them. You may have more luck with your insurer, since it makes money by selling you insurance and then teaching you how to avoid a claim. Banks tend not to talk about security breaches for fear of inviting attacks.
Thieves will always go where the money is, but they also go for the easy score. You don’t want that to be you.
