Thursday, February 12, 2015

Why start-ups need to worry about hackers — and what you can do to protect your business


Why start-ups need to worry about hackers — and what you can do to protect your business

 | 
 Cytegic CEO Shay Zandani, left, and Cytegic Chairman and former Israeli Security Service member Carmi Gillion, right. Cytegic helps small businesses protect against cyber attacks.
Michelle Siu for National PostCytegic CEO Shay Zandani, left, and Cytegic Chairman and former Israeli Security Service member Carmi Gillion, right. Cytegic helps small businesses protect against cyber attacks.

When companies ply their trade in the digital world, data is like bullion: If snatched out of the vault, it could lead to financial ruin.
Attacks against the likes of Sony and Target steal headlines, but startups are anything but inconsequential to cyber thieves: More than a third of attacks globally are aimed at small businesses and the number of hackers is growing, too. McAfee Labs detected more than five new threats a second in the third quarter of 2014. A study it commissioned last March revealed one in five businesses were victims of a network breach, likely understated considering the stigma that comes with such an admission.
“You, as a customer, have only one demand,” said Carmi Gillon, executive chairman of Israel-based security startup Cytegic, in an interview in Toronto. “I give you my information. I believe you do the upmost you can do to keep the information safe.”
Mr. Gillon, a former head of Israel’s internal security service, Shin Bet, is on a mission to convince company leaders worldwide that cyber security isn’t just a matter for the engineers; it’s their concern, too.
Of course, he and Shay Zandani, Cytegic’s chief executive, are in Canada not just to share their mission, but also to drum up support for the company’s latest line of software. Cyber security is a fierce battleground in thriving tech hub Tel Aviv, where such startups number in the hundreds.
One area Mr. Gillon said is becoming bait for hackers is healthcare IT. “It’s the most intimate personal information. I’m a patient of yours. I want to be sure all the information about me is safe in your clinic,” he said.
But regardless of the industry, Mr. Gillon contends the forces of evil are always one step ahead of the game and no one is immune to threats.
Those words ring true for Toronto-based analytics firm Physicalytics. It’s not just the company’s own information on the line, it’s the clients’, too, said Sam Seo, co-founder of Physicalytics. He strongly advocates keeping a lock on data.
“It’s obviously something we worry about, but it’s also something we’re heavily prepared for and trained to prevent,” he said. But it took a scare for a client, web development firm Hostorea, to realize that.
One day a banner appeared on the client’s website, declaring it had been hijacked and demanding payment for it to be returned. Mr. Seo quickly restored an older version of the site. “If I didn’t have the backup, I would have been in a bad situation,” he said. Statistics Canada reported that less than half of small businesses backed up data in 2013.
Most corporations can absorb such a blow over the long haul, but for entrepreneurs, even a small-scale attack could undermine all their hard work. “You can decide that [you’re] not going to use [your] budget to protect [yourself]. At the end of the day when you reach a point that you are attacked, the damage to your business is so high maybe it will destroy your business,” Mr. Gillon said.
Advertisement
Even if there is nothing to gain financially, a vault full of sensitive data can be much more valuable to a cyber thief, Mr. Zandani said. He recommended every business set aside one-fifth of an IT budget — a conventionally accepted figure — for security. “That’s not easy to invest such an enormous amount of money. You’re not getting any income out of it. It’s like buying life insurance,” he admited.
But as Mr. Gillon pointed out: “Average people [take out] life insurance for the sake of the family. But at the end of the year they don’t say, ‘OK, I just spent money, nothing came out of it,’ ”
Kris Constable, founder of Victoria-based consulting firm PrivaSecTech, agreed the cost of protection is high upfront, but he said the post-hack clean-up costs could be insurmountable, especially if you have to win back the trust of your clients.
The most common attacks are browser based, Mr. Constable, a digital privacy and security expert said. One common tactic is for intruders to embed malicious code into Java scripts to crash a browser. Remember Heartbleed? According to McAfee Labs, that virus exposed about 600,000 websites to information theft.
Content management sites such as WordPress are easy to use, but they’re also so loaded with code that they become “a pretty big attack surface.” The stats vary depending on the source, but on average one in five self-hosted websites run on WordPress. It has plenty of tools, but “it also has a lot of loopholes or vulnerabilities that human or bot hackers can infiltrate,” Mr. Seo said, and as good as its plug-ins are, they’re also what can expose users to attack because many are created by independent developers.
Mr. Seo suggests enlisting other servers to be gatekeepers for the server where your data is stored. “Hackers will attack the first layer, first. They’ll determine if it’s clean traffic or malicious traffic.”
Behind the trickery of all the fast-action bots out there is a human cyber vigilante. “If it’s a serious attack, it’s a real person,” he said. “If it’s a real person, they’ll be behind an onion network. One second they’ll be in China, the other second they’ll be in Russia in terms of what their IP address looks like.”
Passwords should be at the top of any security checklist and Mr. Constable recommends they be both “hashed” (encrypted) and “salted” (have an extra cushion).
But sometimes even a password won’t protect you. External cyber invasions are not the only threat, Mr. Constable said. The majority come from within a company’s own walls. “If it’s just founders, there’s little risk. But as soon as you start hiring people, how do you know they’re not doing something malicious with your information? The larger you grow, the bigger that threat vector gets,” he said.
It’s impossible to guard against every possible cyber threat, Cytegic’s Mr. Zandani said. Regardless of how big an enterprise is, the first thing a founder needs to do is evaluate the organization’s most important assets. “If you’re going to invest to be protected from everything all the time, the only solution is to unplug and to close your business,” he said.
“You need to focus on what is relevant now and to be proactively protected.”

No comments:

Post a Comment

Comments always welcome!