A journalist getting hacked by online crooks may not attract the attention of other busy small-business owners. Yet Wired senior writer Mat Honan’s story — who says his “entire digital life was destroyed” in less than an hour — offers some critical lessons about security in the online age.
Now that the dust has settled on the drama, let’s look at what entrepreneurs can learn from it.
1. The target can be (very) small. One of the prevailing and more damaging security myths is that small businesses are too insignificant for online crooks to bother with. “Who’d waste their time on little old me?” you ask. You might be surprised. First off, just about every legitimate business has a bank account, if not several of them. Banking and other financial accounts are obvious bull’s-eyes for bad guys. Customer databases and HR files — which often include social security numbers, credit card numbers, and other sensitive info — are also attractive to thieves. Honan’s experience shows that a target doesn’t even need to have any monetary value. His attackers didn’t empty out his bank account or run up his credit card bill: They hijacked his Twitter handle.
2. Apple is not a safe haven. Apple’s operating systems (the software that makes Macs, iPads, and iPhones work) have a reputation for being very secure and relatively free of the malware and other harmful junk that Windows PC users contend with. Honan’s case is a harsh reminder that security is much more than Trojan horses, keyloggers, and other online plagues. By gaining access to Honan’s Apple ID, the attackers were able to take control of — and effectively ruin — his MacBook, iPad, and iPhone. That little bit of information led to breaches of his Gmail and Twitter accounts, too. “You honestly can get into any email associated with Apple,” one of Honan’s attackers later told him. No hardware or software is fail-safe. Don’t assume you’re secure simply because you use Apple’s or any other company’s products. It’s just not true.
3. Don’t link online accounts. The bad guys were able to run roughshod over Honan’s digital life in large part because he linked, or “daisy-chained,” various accounts together. “My Twitter account linked to my personal website, where they found my Gmail address,” he writes. And that was just part of a snowballing sequence. This practice can be especially risky for small-business owners and self-employed professionals who mix and match technology for work and personal uses. Mobile devices, email accounts, and social media are common culprits.
4. Back your data up. Honan acknowledges that he bears part of the responsibility for his data loss, because he failed to back up his files, particularly those on his MacBook. As a result, he lost everything saved on his laptop. He later recovered much of it, but data-recovery services like the one Honan used are expensive — he shelled out nearly $1,700 — and far from guaranteed to work. Honan called the recovery of his files a “miracle.” The bottom line: Back up your information. There are myriad options for doing so, online and off. Several online platforms, including Google Drive and Microsoft’s SkyDrive, offer a decent amount of starter space — 5GB or more — for free. If you’re uneasy about storing sensitive business information online, do so on an external hard drive or other physical storage media. Just don’t keep it in the same place as your primary copies. Otherwise, you’re not protected from other kinds of disasters, such as a fire or flood.
What else can you do to protect yourself and your business? In the wake of Honan’s story, Google recommends enabling two-factor authentication on your accounts. Use strong passwords and change them regularly — and avoid using the same username and password combinations across accounts, which makes attacks like this even easier.
Remember: This type of digital disaster can happen to anyone. The worst mistake is to assume it can’t happen to you.