James Clapper is a former Director of National Intelligence who before that worked in many other key positions within the US Intelligence Community for decades. So when he gives 4 key pieces of advice from cyber experts, I’m going to listen. Here are his 4 points:
- Patch IT software obsessively. Most Chinese cyber intrusions are through well-known vulnerabilities that can be fixed with patches already available.
- Segment your data. A single breach shouldn’t give attackers access to an entire network infrastructure and a mother lode of proprietary data.
- Pay attention to the threat bulletins that DHS and FBI put out.
- Teach folks what spear phishing looks like. So many times, the Chinese and others get access to our systems just by pretending to be someone else and then asking for access, and someone gives it to them.
Let’s go through them one by one, looking at how that applies to a small business or nonprofit:
Patch IT software obsessively
Keep software on your computers, tablets, phones and other internet connected devices up-to-date. Don’t run outdated or old software. You should use the current version of all software, with all major and minor updates installed.
When it comes to the operating system for your computer or device, if it’s not supported with regular updates, it’s time to kiss it goodbye.
Especially in the business world, that’s a problem, because there seems to be all these applications that only run on some obscure, way old version of the OS. Windows XP comes to mind. It was good in its day, but was replaced by more modern operating systems for a reason. Yet, businesses kept using it because of those old legacy applications. In the process they put their entire operation at risk.
An operating system or software that isn’t being updated is a problem. Not because anything changed in it, but because the world out there changed.
So when a computer can’t be upgraded to run the latest operating system, it’s time to replace it with a new one. (Probably time for other reasons too.)
Keep in mind that this applies to things like modems and your network infrastructure as well. They often sit off somewhere where we don’t see them every day, so we easily forget about them. Or we don’t know the first thing about how to update them.
For any of this, if you don’t know what to do to be up-to-date, get help from someone who does and whom you trust with your life.
Segment your data
I wouldn’t put all my data on one hard drive. Because hard drives crash. Extend that to online storage: Don’t count on just one service, be it Dropbox or Amazon S3 to keep your data. Have a backup plan so that there’s always several copies in different locations.
If multiple people access your business network and storage, consider who needs access to what data and limit accordingly. Same applies for customer databases. Not everyone who is able to log in needs to be able to read and write everywhere in the system.
For instance, I do a lot of work with Salesforce. It has built-in options for limiting what parts of a given record any user can see. So finance can access info they need and a field worker can access info they need and neither needs to see everything. We’re limiting exposure and the potential for damage, accidental or malicious.
It does require planning and work to set up this kind of data segmentation and protection, however once disaster strikes, it’s way too late (but that’s when everybody will ask why there were no protections — “How could this happen?”).
Pay attention to the threat bulletins that DHS and FBI put out
Probably neither you nor I get those bulletins. But we can pay attention to warnings of threats that come in regular media, industry group information and from trusted vendors and friends.
Key is to not just ignore information. So when you hear about a cyber threat or software/hardware vulnerability, investigate. Make sure you know for sure that it either doesn’t affect you or you have protection in place.
Don’t just assume that your business is so small and insignificant that nobody would want to hack it. Everybody is a potential target.
Teach folks what spear phishing looks like
You get an email from your bank, Apple, Facebook or other well-known company. It claims that something is wrong with your account and as a result, your access is about to be cut off. Unless you click on the link in the email to verify that you are you.
Invariably, you’re then asked for your login info and possibly other even more personal info.
Relieved to have dodged the bullet, you go check the account that email was about. Of course you can still login, because there was never any issue to start with.
But the bad guys now have your login info, plus any other info they got from you and they’re busy selling that or trying to use it on other accounts. Because many people use the same login info and password on multiple sites.
The thing is, your bank, Apple, Facebook or other well-known company never sent you an email to start with. It was all fake. Just to get you to part with sensitive information.
Your bank, Apple, Facebook and other well-known companies will however tell you that they would never ask for your personal, sensitive information in a random email. And yet people who should know better fall for it.
Phishing has moved out of just email into using tech support scams, malicious software and gift/prize scams. The goal is always the same: To get you to part with sensitive information that can eventually be used to steal money or cause other damage.
The common thread in all 4 pieces of advice James Clapper gave, is they are about things that happen online or to devices connected online and in each case your business or private life can be seriously damaged. None of us can afford to wait for a bad thing to happen. We must be proactive and protect ourselves.
We need to be careful about:
- The places we visit online and what information we give out — What is the information the site wants? Why do they want it and should they need it to deliver what you are requesting?
- Where and how we get online — For instance, unsecured, public Wi-Fi is not a good place to do online banking.
- Where we put our data and who can get to it — Set up good policies and stick to them. And always back up, in more than one location.
- How we handle login information — Don’t reuse passwords and don’t keep a printed list of all your passwords in, on or under your desk. Use strong passwords and 2-factor identification.
Spend some time now to review how prepared you are for an attack in any of the 4 key areas. If you’re not quite ready, get things in place to be ready.
Now you know the 4 big cyber threats according to James Clapper. After decades in the Intelligence Community, he’s seen a lot. So when he tells us to protect ourselves and our businesses, I’m going to pay attention. Because I want to be able to sleep well at night, knowing my business and my data are as safe as they can be.