Three Lessons from Chinese Hackers

A new cybersecurity report by Internet security firm Mandiant found that the Chinese military is funding ‘hacker units’ whose sole purpose is to steal secrets from US companies. This comes shortly after a spree of high-profile hacks against the Federal Reserve, New York Times, Wall Street Journal, Twitter, Facebook and, most recently, Apple.

But this is just a problem for large corporations, not small businesses, right? Wrong!

According to past research from the U.S. Secret Service and Verizon Communications, over 60% of cyber attacks target smaller businesses with less than 100 employees.

While large corporations are the primary target for sophisticated nation-state hackers, small businesses often find themselves in the line of fire - particularly if they serve large companies or entities in critical industries. Chinese hackers see many small businesses as a backdoor to the bigger target - that makes you a target too. Don’t make the mistake of thinking that your business is insignificant to a hacker. At a minimum, a hacker could infiltrate your business server and backdoor your network simply to hide the true origin of the attack.

Lesson 1 - You Can’t Beat Them:

Major corporations with six and seven figure IT budgets have a hard time fending off a nation-state attack. To be blunt, small businesses don’t stand a chance against this type of threat. They lack the budget, the personnel and the expertise.

So think smart, instead of expensive.

For one, rely on a bigger company’s security expertise to provide for your own. Instead of having a physical server, utilize large cloud providers that have enterprise-level security already built in, like Microsoft, Amazon Web Services, Bluelock, etc. Outsource computer security on the cheap to a well-established security firm like McAfee, Symantec and Trend Micro by subscribing to security-as-a-service.

Additionally, think in terms of isolating rather than preventing. The most vulnerable thing you’ll do all day is to check your bank account. So go out and buy a $250 Samsung Chromebook and only use it to do online banking, nothing else. The next most vulnerable thing is your work email. Set up two-factor authentication right away, and stick with it, even though it’s slightly annoying.

Expect your online accounts to be targeted by hackers armed with sophisticated password-cracking programs and social media intelligence. Have complex passwords that use upper and lower case letters, numbers and special symbols. Use a different password for every account - and keep an encrypted written password log to keep track. Change these passwords every few months. Give fake answers that only you would know to challenge questions that could be used to bypass the password.

Lesson 2 - People are the Weakest Link:

Every small business should teach its employees the basics of Internet security - i.e., don’t open suspicious emails, don’t visit questionable websites, never give out sensitive information without permission, etc. But the reality is, no matter how much training they receive, they will eventually make a mistake that gets the company infected. That’s why it’s important to compartmentalize your business, no matter how small it is.

If you use a physical server, make sure that employees and owners run on two separate networks - the same goes for WiFi. Consider replacing employee PCs with ‘thin client’ computers that don’t allow for local storage. Prevent employees from having too much access to your business network or other accounts that they don’t really need (called “access creep”).

Lesson 3 - Expect to be Hacked:

No matter how hard you try, hackers can get you if they’re determined to do so. Small business owners should change their mentality from, “I can prevent this” to “Eventually, I’m going to get hacked.”

With that in mind, have a strategy in place to limit the damage from a hack. First, make sure the company performs daily data backups and also has two layers of protection - physical storage devices at the office, plus cloud-based data backups. Remove all critical data from the website that doesn’t absolutely have to be there. Have “mirror websites” set up that will keep running if your main website is shut down by a cyber attack. Find out if your business insurance covers remediation costs, downtime and lost earnings from a cyber attack. If it doesn’t, consider setting up a cyber insurance policy from providers like Digital Risk Resources, Travelers, Arch Insurance Group, etc.

Michael Gregg, CISSP, CISA, CISM, is a nationally prominent ‘ethical hacker’ who provides cybersecurity services to Fortune 500s and US government agencies. He’s consulted for the Department of Defense, National Security Agency and FDIC, as well as local law enforcement agencies around the country. The author of over a dozen books on computer security, Gregg is also a well-known security trainer and speaker. Gregg is COO of Superior Solutions Inc., headquartered in Houston.