Have You Been Hacked?

By Chris Rader
Rader Solutions

CSA is partnering with Chris Rader this year to help members reduce technology risk and improve their use of technology. Articles like this one will appear regularly, and Chris will also be conducting webinars on various topics. He will also facilitate users groups for companies using Spruce and BisTrack software. Chris owns Rader Solutions, which provides technology expertise and hosting for building material dealers across the country.

I'm sure you've read about major hacking incidents in the news lately. Again and again, large corporations have had to apologize to customers for putting their personal information at risk. The numbers are staggering.

In September 2016, Yahoo announced that a data breach had occurred sometime in late 2014, affecting more than 500 million Yahoo user accounts.  Then in December 2016, the company announced that another, much larger breach had occurred in 2013, affecting more than one billion user accounts. That's billion with a "B."

During the first announced Yahoo breach, thieves stole names, email addresses, telephone numbers, dates of birth and passwords from Yahoo users.  During the second, they were even more sophisticated and used "forged cookies" or "web cookies" to gain access. By using forged cookies, they were able to break into accounts without passwords by falsifying login credentials.

With the number of affected users soaring into the billions, I'm sure you've wondered if you're at risk.

Have You Been Hacked?

You might think that because you operate a relatively small business or limit your online exposure, you might be less of a target. The truth, however, is that everyone is at risk! It's really a question of WHEN you'll be hacked rather than IF you'll be hacked.

I could be as simple as this: If you sent emails to a Yahoo user containing confidential information -- bank information, corporate financials, employee names or social security numbers -- that information could have been compromised. How?

When you send an email from your computer, the email almost instantly becomes resident on the receiving computer and a part of the receiver's server mailbox.  Likewise, if you received emails from a Yahoo account, your data could have easily been accessed by perpetrators and used against you.

The Yahoo breaches, however, are only examples. Criminals are working to gain access to as much personal data as possible. Their goal is to make money from what they can access -- lots of money.

Here's a Real World Example

At Rader Solutions, we have seen emails that look authentic asking lumber dealers to transfer money from one bank account to another. Often, the emails include the email signature of the person authorized to transfer funds from the bank to a vendor. Of course, these emails are not sent from a trusted business partner. They are coming from criminals casting a wide net, and you can be sure you're not the only company they are targeting.

How Can You Protect Yourself?

Here are 10 tips to keep your business and personal information safe:

  • Never wire money without speaking to the person authorizing the transfer.  For example, if your accounts payable clerk receives an email requesting a transfer of money from your bank account to another bank and account, the transaction should only take place after the accounts payable clerk has spoken to the person authorizing the transaction in person or by phone. Email confirmations are not enough.
  • Do not click on suspicious looking emails.
  • Never download files that look suspicious, even from people in your address book.
  • Do not use the same login or password for more than one online account.
  • Meet with your IT staff and understand how they filter emails and what they are doing to filter out phishing emails.  Ask "dumb" questions until you understand exactly how the filtering process works.
  • Use strong passwords containing numbers and special characters.
  • Secure your wireless network.
  • Change your passwords frequently or when prompted to do so.
  • If you must send confidential emails, make sure you are using secure email that uses cookies or email encryption.
  • Sign up for Security Awareness Training.

Of course, this isn't all you need to know about online security, but it will give you a start. As part of CSA's computer initiative, I plan to write a series of articles for Framework to increase your awareness about technology issues. In addition, I will conduct Security Awareness Training for you and your employees via the web during the next few months.  I encourage you to participate. We will update you about dates and times as we get them finalized. In the meantime, stay safe!