I would imagine by now you’ve heard the story about how millions of Target credit card accounts were hacked using a mechanical contractor to get into Target’s servers. The hacker used a phishing email to get logon information from one of the contractor’s employees and then used that information to get into Target’s payables system for its vendors.
That’s called share network vulnerabilities where a contractor is on an infected network with either a vendor or customer and the contractor can be the victim.
At the recent Mechanical Contractors Association of America convention in Orlando, technology had a central place, including the bad kind of tech from which contractors need to protect themselves. James Benham told the contractors that he was going to frighten them with hacker stories and he likely did. Benham, who wrote his first code at age 11, earned a Master of Science in Information Systems at Texas A&M University. He is the CEO of his own software firm, JBKnowledge Inc., and he teaches at A&M’s Department of Construction Science.
“We have to talk about this if we want to stay in business,” Benham said.
Ten percent of mechanical contractors were hit by Cryptolocker last year, malware that encrypts everything on the victim’s computer network. The only way to retrieve your files is to pay ransom to the hackers in Bitcoin.
There are many ways for contractors to lose their data. One is a data breach where hackers get in through unsecured WiFi.
Contractors seem to have an irrational fear of the cloud, Benham says, but all of the attacks that he’s seen have been on contractors’ servers that are in-house. Cloud providers employ a full-time security staff and many contractors don’t even have one full-time IT person. But don’t sign up for free cloud service, Benham warned. He repeated Steve Jobs's maxim that if anything is free, you and your data become the product.
There are many ways for contractors to lose their data. One is a data breach where hackers get in through unsecured WiFi. There’s data loss from a lack of backup or the bankruptcy of a vendor. If you’re on a shared server at a data center and another company on that same server commits a crime, the FBI can come in and haul away the server (and your data). The bank could foreclose and padlock the data center.
That points to another problem, non-existent due diligence. If you’re going to contract with a data center, Benham notes, at least take the time to drive over there and check it out. Where will your data be held? Who has access to it? Who is the IT manager?
Your computers could be hijacked through bogus “free” WiFi, often logged onto by traveling employees. Traveling employees should never log onto a network they don’t recognize.
Your computers could be hijacked through bogus “free” WiFi, often logged onto by traveling employees. Traveling employees should never log onto a network they don’t recognize.
Don’t discount malicious insiders, either employees or employees of a vendor. If you fire someone, his computer should be taken away while you’re firing him.
But don’t sign up for free cloud service, Benham warned. He repeated Steve Jobs's maxim that if anything is free, you and your data become the product.
Now the good news — there are solutions. Buy a cyber liability policy, an insurance company product, Benham advises. Purchase source code and database escrow that will send your data to a firm such as Iron Mountain. Buy continuous local backup with a firm such as Carbonite that backs up your data, encrypts it and sends it to the cloud. Use two-factor authentication, an app with a continuously changing code, like Google Authenticator. Encrypt everything, including your backup drive. Perform background checks twice a year on your employees with access to your data. Purchase external audits from cyber security firms that test your security by constantly trying to break into your network. Alert Logic is one of the firms that sells intrusion detection devices that are attached to your firewall and track all activity on your network. Benham uses that; it costs him $1,200 a month and blocks 100 malevolent IP addresses per day. Finally, train, train, train, train, train. Poorly trained employees can be the biggest weakness in your computer network.
