As a citizen of the U.S., I’ve been lucky in my life to have mostly been shielded from the evils of fraud, theft, and other criminal mishaps that happen daily. I’ve certainly read about these crimes and even written articles about them, especially as they pertain to the HVAC industry, but I, personally, haven’t been a victim of them.
Until now. I learned, much to my dismay, that my wife’s social security number was stolen sometime last year, and, since then, our lives have been turned upside down. Credit cards and loans have been taken out in her name, tax returns have been filed under her social security number, and collection agencies and creditors have been calling, writing, and threatening for monies we never borrowed or spent.
We’ve had to file police reports, talk with the IRS, have our tax refunds held up (potentially for years), freeze our own credit reports, and report the crime to all our creditors so they can be on the lookout for any fraud being committed in her name.
Because they have my wife’s social security number, they also have our home address. And, at least according to our local authorities, that information is sold over and over again, and there is less than a 5 percent success rate in finding and prosecuting the thieves.
This sucks. There, I said it.
We’re always so careful with our sensitive data and never use our social security numbers on anything where it’s not required. The first thing investigators and IRS agents ask is how we think someone obtained our data. Seriously? Nice question.
The answer isn’t through carelessness on our part. In my opinion, the answer is hackers.
Think about this: in 2013, America, according to an April 20 Wall Street Journal article, “What Companies Should Be Doing to Protect Their Computer Systems – But Aren’t,” entered into the age of the “megabreach when Target Corp. lost 40 million credit card numbers to Russian-speaking hackers.”
Since then, America has been rocked by massive hacks into venerable companies like Home Depot, J.P. Morgan Chase, eBay, and, now, even the IRS (where social security numbers were stolen from more than 100,000 American taxpayers, perhaps among them, my wife).
The point is, the Target breach was a piggy-back scenario where an HVAC contractor doing work for the chain inadvertently provided a back door into Target’s financial systems, exposing them to the theft of all those credit card numbers.
Seriously, an HVAC contractor? Truth. The 21st century has given birth to a new industry to deal with all this hacking, though I’m not convinced they’re doing such a great job. After all, the IRS did get hacked at least once, possibly two or more times, leaving citizens and businesses exposed to the treacheries of the criminal world.
PROTECT YOUR DATA
According to the WSJ article, there are at least five ways to protect your data:
1. Stay up-to-date with software patches, especially with operating system updates. According to Yadron, Microsoft Windows had a glitch that made it easy for hackers to gain access, though that “hole” was covered years ago. But, if you don’t update your software, you are at risk;
2. Don’t leave your Internet doors open. That means keeping track of all computers, tablets, and smartphones that have access to the Internet and your company’s digital footprint. The article points out that nearly a quarter of all breaches are from computers that don’t need to be online. (It cites a study done by Verizon for this statistic).
3. Can you say “encryption?” This means data are encoded in such a way that only authorized parties can read it. To quote Wikipedia’s definition of encryption, “Encryption does not of itself prevent interception, but denies the message content to the interceptor.” Unfortunately, encrypting your data can be pricey, but you should weigh the cost to the dollar value of the stolen data. You can download an encryption best-practices whitepaper on this topic from Advanced Software Products Group Inc. You’ll need to provide them your name and a legitimate email address, but the download is free.
4. Passwords? We don’t need no stinkin’ passwords. Yup — The article says you need to get rid of your passwords. According to the Verizon study, a quarter of the data breaches examined could have been prevented if the victimized companies had required more than just a password to get into the system. Apparently, it’s easy for hackers to crack passwords because users typically use birthdates and other easy-to-remember numbers for them. You can learn more about alternatives or additives to passwords by visiting http://bit.ly/PW_Replace or http://bit.ly/PW_Alts.
5. Vendor Check. Back to that Verizon study: Between one-fifth and two-thirds of data breaches are linked to hackers breaking into vendors or other third parties to gain access to larger companies’ data. Case in point: the Target breach two years ago. The solution is easy to say and difficult to do: oversight. This often means making sure vendors can prove their cybersecurity programs and track records. Then, you need to have them sign some kind of declaration on their cybersecurity approach. Yadron’s article goes on to say there isn’t really much more that is feasible to do.
PLAY IT SAFE
A lot of people will argue that doing all this is a hassle and can be cost-prohibitive. They aren’t wrong. But, once you’re hacked, it’s really hard to stuff the genie back into the bottle. From a personal perspective, I can vouch for that statement. You can also ask the 4 million people whose personal records were stolen recently from the U.S. Office of Personnel Management by hackers in China.
This is scary stuff, and it does the HVACR industry no good to be unwitting accomplices to outside criminals. It’s incumbent upon everyone in the HVACR industry to make sure that their own Internet networks and systems are as secure as possible so we can prevent hacking attacks and identity thefts in the future.
One last note: The April 20 edition of the Wall Street Journal also had an article on “The Man Who Finds the Security Holes,” explaining what its author does to make sure employees don’t fall for hackers’ tricks. I suggest you check it out.
Publication date: 8/24/2015