It took some time for Kevin Stecko to learn in 2013 that the e-commerce system for his website, 80stees.com, had been hacked. Whoever did it “sat on the [data] for about six months,” Stecko says. “We didn’t notice anything.’’
He doesn’t know how the breach happened, but he suspects it may have been the work of a former employee. Today, he outsources the technological back end of his site, which does under $10 million in sales, to Shopify, the popular provider of e-commerce services to tens of thousands of companies.
Security breaches are becoming almost regular news. With ongoing high-profile revelations about the likes of Home Depot and JPMorgan Chase having millions of customers’ data hacked, such events are losing their capacity to shock. Until, that is, it happens to your business. In a 2014 survey of U.S. executives by Experian and the Ponemon Institute, 43 percent said their organizations had suffered a data breach in the past two years. “No matter how small you think you are,” warns Stecko, “there’s a good chance you are being targeted by hackers on a regular basis. They are probing for any weakness in your systems, practices, or people.”
One way to keep things safe, paradoxically, is by taking matters out of your own hands and using a giant cloud company to store your data. Stecko no longer has access to his site’s credit card data, which is safely locked up with Shopify. Now, he says, “I know that a rogue employee can’t steal customer credit card information.” His other tactic for increased security: two-step authentication--employees need a username and a password plus the answer to a security question to log into the system.
You can also opt for what is sometimes called a “private cloud” option--a password-protected and often encrypted service. This is what Mission Benefits founder-CEO Matthew Sohn is doing with ShareFile, a product offered by tech giant Citrix that provides that extra layer of security and encryption. “If we were selling widgets,” Sohn allows, “it would be different,” but federal requirements dictate how customer data for businesses like his--which helps companies with health insurance and other benefits--must be stored.
Training staff so they don’t get hoodwinked--if, say, someone calls pretending to be a store manager seeking customers’ passwords--is also critical, says Nathan Toups, chief technology officer for Key the City Concierge. “You could have the best encryption on the planet,” Toups points out, “but if you give out a password, it doesn’t matter.” To address that concern, Tim Ryan--founder and creative director of digital video company TAR Productions, which relies on cloud-based services--turned to Apple’s Keychain to make custom, randomized passwords for each provider he uses.
What you may not know, says James Staten, a former cloud-computing analyst for Forrester Research and now a chief strategist at Microsoft, is that small companies can be tempting opportunities. If a hacker is deciding whether to break into a small company’s in-house server or one that’s located at Amazon Web Services or another big-name cloud provider, which will he pick? “He’ll choose the small-business server every time,” Staten says, because it’s often easier to breach. All the more reason to take extra steps to keep your data--and your customers’ data--safe.
The data on breaches
32 years old--and they keep growing
783 Major data breaches in 2014--up 27.5% from 2013.
Source: Identity Theft Resource Center
1 billion+ Individual records that were hacked in 2014.
$3.5 million Average amount a hacking incident cost a company in 2014, up 15% from 2013.
Source: Ponemon Institute
1983 The year of the first reported major breach, when hackers gained access to medical patients’ records and billing data.
Playing It Safe
Whether you store your data ?n-house or use an outside service, these tips can keep you out of the headl?nes
- The cloud is often safer than you: Most security compromises are not about hacking or the cloud--they’re inside jobs, or the result of lost laptops. Typically, “the cloud is way more secure” than an in-house server, says Charlie Burns, vice president of research at consulting firm Saugatuck Technology. “Cloud providers have state- of-the-art security organizations they pay top dollar to.”
- Passwords aren’t enough: Your cloud provider should use encryption or two-factor authentication--whatever technologies “are culturally acceptable that can be used to keep out criminals,’’ advises Mike West, formerly an analyst at Saugatuck Technology. Passwords, he says, “are a joke. You cannot design a password that’s not breakable by a kid.”
- You need to vet your provider: Top cloud companies will boast about their credentials. The Cloud Security Alliance’s STAR (Security, Trust and Assurance Registry) program, for example, audits such companies’ security controls.