How to think like a hacker

To protect yourself from data thieves, you have to think like a hacker.

That was the message cybersecurity experts conveyed Wednesday at a data privacy and cyber liability forum at the Identity Fraud Institute at Hodges University.

Even small-business owners need to realize that whatever they do, they have something of interest to hackers, the experts said.

Or they can be targeted, not because of the information they possess, but as portals to their clients.

“The Target data breach was done through their heating and air conditioning company,” said Carrie Kerskie, director of the institute. “Hackers are going to big companies through smaller ones, because the smaller ones are more vulnerable.”

While business owners are often cavalier about cybersecurity, they can’t afford to be, stressed Greg Scasny, chief executive officer of Cybersecurity Defense Solutions in Fort Myers, which performs security assessments for businesses.

To keep data safe, “you have to be right all the time; the hackers only have to be right once,” he said.

But it’s not an easy task. Anti-virus and anti-malware protection programs only catch about 5 percent to 8 percent of malware, Scasny said.

Meanwhile, the average time to detect that your data has been breached is seven months, he said, giving the bad guys plenty of time for mischief.

Data theft is a lucrative business, he added. Credit card numbers net $1, and medical records $10 on the black market.

Since about 47,000 records are stolen in an average data breach, that means each successful breach could net a crook between $47,000 and $470,000.

“It’s a low-risk, high-reward business, he said.

So business owners need to assess every aspect of their business to identify vulnerabilities, understanding that “there’s no tech bullet that will make you safe,” he said.

By far the weakest link in any business is its people, Scasny said.

“People are trusting; they’ll give out information and click on links,” he said.

They’re also likely to hold open doors to anyone in a uniform who’s standing at the business door holding boxes, or to give out company secrets or personal information to anyone who shows up with “chocolates and a smile,” he said.

But it’s not just low-level employees who jeopardize company information, Scasny said. High-level executives who fail to follow best IT practices, like creating a long, unbreakable password, also create doors for hackers.

“Nine out of 10 times, people use the same password for everything,” he said.

While it’s not possible to bulletproof your business against identity thieves, any more than you can make it completely safe from burglars, you can make your business less of a target by making the bad guys work to get your information, said John Benkert, chief executive officer of CPR Tools, a data security and recovery firm in Fort Myers.

And one way is to pay attention to how long you hold on to sensitive information and how you dispose of it,

“You have to make data destruction a habit,” he said.

Just deleting data on a hard drive won’t destroy it, he said.

And older ways of physically destroying data, such as drilling a hole in a hard drive or using a powerful magnet, can be defeated by hackers, too.

Only special software programs that overwrite data are effective, said Benkert, who has worked in both commercial and government organizations, including the National Security Agency.

“I’ve never recovered anything useful that’s been destroyed that way,” he said.

Benkert warned business owners “never to use anything that’s handed to you,” including thumb drives that are given away at conventions, as these could be infected with malware.

He also warned the business audience to be wary when they connect their phones to rental cars, as the data can be stored on the car’s system

While recycling old phones, computers and other devices is admirable, he said, he warned the audience to ask questions before handing over an item to a big-box store or other recycler, since low-paid employees may be tempted to sell a few hard drives on eBay to earn some extra cash.

Even when a business takes precautions, it’s not possible to safeguard data completely, said Thomas Rinaldi, a trial attorney with Bond Schoeneck & King PLLC in Naples.

But it’s important to make the effort, he said.

That’s because data breaches lead to lawsuits and possible regulatory action, and they tarnish a business’s brand.

Big fines and audits have resulted when businesses large and small have failed to encrypt data, not use antivirus software or allowed employees to take unprotected laptops out of the office.

So it’s important even for small businesses to show they are making an effort to protect client data by creating a formal privacy policy, training employees and hiring third-party cybersecurity firms each year to test systems for vulnerabilities.

“Hire a different firm each year, because they all use different systems,” he advised.

Such actions show good faith and reduce a business’s liability, but there’s an even more important reason to pay attention to data security, Rinaldi said.

“We all have an ethical responsibility to protect our clients’ data,” he said.

Thwarting data thieves

Cybersecurity experts suggested these tips to keep hackers away from your business:

» Keep a record of all company electronic devices and who has access and permission to use them.

» Figure out what consumer data you need and how long you need to keep it.

» Make sure computers aren’t connected unnecessarily.

» Require long passwords, and suspend access after several failed log-in attempts.

» Establish risk management policies with input from IT and legal counsel.

» Protect removable media.

» Have a procedure to wipe and dispose of discarded devices.

» Put together a team with defined roles to respond to and contain a data breach and to inform those affected by it.