Last week’s Yahoo intrusion has something in common with Viagra, penicillin, and Coca-Cola – all happened by accident. The end result was not what the instigator was looking for. At first, it was thought that the Yahoo intrusion was due to a hacker finding a ShellShock opening. But, no. The intruder may have been looking for it, but found another vulnerability instead.
What small businesses can take away from the Yahoo situation is an understanding that just because your IT shop has covered you on a vulnerability that the media has hyped, your network may still be hacked. The cyber-criminal may be looking for something specific and even if you are patched or protected from that vulnerability, the criminal may keep looking around in your system. Hopefully, after looking for two or three known exploits that have been patched, the hacker will move on to another prospect. Time is money, after all, even to a hacker.
The business world is starting to realize that if the likes of ATT (also hacked last week) and Yahoo are hacked, even with a strong IT group and utilization of great tools, hackers can and do get into networks. More conversation is happening about how a corporation should be ready to recover and maintain business while a breach is under investigation and if necessary, resolved. Prevention is one aspect of a strong cyber security program. Recovery is another aspect for which businesses need to prepare.
In today’s risky world, the prudent business owner needs to ensure the company has a good recovery plan. Dust off the continuity plan that was prepared to meet the insurance company’s requirement or the agreement with a client. Add steps that address loss of company data or client information. A few key components to think about include:
• How will you establish a separate network for your key financial and operational activities? What must you have to stay operational for a week or a month, if your main network is breached? How do you isolate and contain the infected system?
• Who are your major contacts in an emergency? Board members, law enforcement, clients may be on the list.
• Who will handle media inquiries? Do you have a public relations company that can quickly work with you on control the message to the public?
• How can you preserve your reputation as a business your clients can trust?
If you don’t have a cyber-crime recovery plan yet, the Federal Communications Commission has an online tool that can assist you. Or you can check with your local law enforcement agency or chamber of commerce for names of vendors that provide planning services. Just as businesses have learned to be prepared for natural disasters, savvy business owners are preparing for cyber-crime disasters.