“We’ve got a problem” were the first words that Ross, Nexight Group’s executive vice president, uttered when he came into my office last Tuesday. “Our website has been hacked.” Not what I wanted to hear, especially since we are using our website to reach out to our customers about current topics of interest, including cyber security.
For the next three hours, visitors to www.nexightgroup.com saw a web page that contained Turkish writing urging freedom for a member of a group deemed by the U.S. government to be a terrorist organization, with the message “Hacked by Coldhackers.” We called the company that designed and hosts our website and they traced the problem to the software we use to upload our web content. We soon learned that we were not current with our software updates and our security wasn’t strong. Our hosting company reloaded our website while we got busy downloading security updates and changing passwords.
In 2011, Dmitri Alperovitch, McAfee’s vice president of threat research, distinguished between two different kinds of Global 2000 companies: those that have been hacked and know it, and those that have been hacked and don’t yet know it. (Former FBI Director Robert Mueller and others like to repeat this line.) Tackling cybersecurity challenges is made harder because businesses often don’t report system intrusions due to embarrassment and worries about company reputation. Yes, I hate to admit that we were hacked and we were embarrassed too!
What did we learn from this experience? I have three takeaways:
- Security Updates: Be diligent about installing the latest security updates. In our case, we were unaware that it was our responsibility to download updates for this software.
- Strong Passwords: Our passwords were not as strong as they needed to be. We got a bit lazy, as most people do, and should have used stronger passwords and changed them more frequently.
- Every Company Is Vulnerable: I thought that because we were a small company we would not be a likely target for a hack. I know better: “security by obscurity” is NOT a sound cyber strategy.
These ideas are not new to me but I learned it the hard way. It reminds me of a bumper sticker I saw recently that said, “Every new generation has to touch the stove to learn it is hot.” Ouch!