Are you a homeowner or building manager?
Find a Contractor »

You’ve Been Hacked…But You Can Hack It!

Posted on:

It’s a phrase no business owner expects to hear, nor wants to hear. But once uttered, it represents the contractor’s equivalent of collapsed ductwork: You’ve been hacked.

The vulnerability of computer systems—and all that financial and business data they hold—leapt into public consciousness in late 2013, when 40 million Target customers had their data stolen. It was the largest breach in retail history, and not long after, eBay suffered a cyberattack as well. As much as consumers faced financial uncertainty in those scenarios, the companies in question were hurt in terms of reputation and trustworthiness. Today the danger of a hack has increased, especially if you’re a small- or medium-sized business (SMB).

“Advances in technology have made businesses more susceptible to breaches, says Damian Caracciolo, vice president at CBIZ, a firm that provides employee benefits and insurance advisory services to SMBs. “That makes safeguarding one’s business more important than ever. In fact, small business cyberattacks nearly doubled from 2011 to 2013, from 18 percent to 31 percent.”

Hacking doesn’t just happen at the server or home office level, says Karen Painter Randall, a partner at the Connell Foley law firm and co-chair of the firm’s Cyber Security and Data Privacy Group. Here, she cites an example that should put every HVAC contractor on guard.

“Through smart thermostats, hackers can turn off heat and cause pipes to freeze, resulting in property damage,” Randall says. “Moreover, based upon thermostat settings, attackers can build a profile and know exactly when a customer is not home—potentially resulting in burglaries—as well as disable security systems.”

That risk is small, and happens through malware that attacks the thermostat’s operating system controls. “But informing the homeowner about the risks of using such a product is important,” she says. “Contractors should also consult with their insurance broker to ensure that they are covered in the event of a breach, as the potential for damages, and loss of reputation, can be crippling.”

How fast can it happen? “It takes only a USB flash drive with malicious software and seconds of physical access to compromise a device,” Randall says.
In some cases, the hackers just want to make trouble. Penny Sansevieri, the CEO of Author Marketing Experts, says cyber-rogues compromised her website to the point where even the slightest change in her blog made the entire site delete itself. “This went on for months,” she laments.

Eventually, Sansevieri discovered a major source of the problem: Her website was on a shared server that had been compromised. “If one site gets hacked the hackers can often get into all of them,” she says. Lesson learned? “We are now on our own hosting site. We can never be on shared hosting again—nor would we want to be, given what happened.”

But in a majority of instances, it’s about getting at your sensitive financial information—just as in the Target breach. Matthew Repicky and Peter Bamber of Security Management Partners advise contractors not to ignore the early warning signs.

“A virus cleaned is not always cleaned,” they note. “A system crash is not always just a system crash. A web browser closing unexpectedly with an error could be an attacker trying to compromise your computer.”

At the first sign of trouble, they advise contacting financial institutions on transactional accounts as a preemptive, protective step: “Confirm that the accounts are not being accessed inappropriately. This step could save you significantly in the event that someone can get a hold of your financial account information and attempt to make transfers.”

This assumes you can head off the hack at the pass. But how should you respond if a hack happens? These bullet points come courtesy of Tony Scheina, a private security expert and owner of MOSAIC (Multi Operational Security Agency Intelligence Company):

Verify the attack. Was it merely an act of mischief, or a true loss of sensitive information? It the latter, “Notify all employees and trusted members of your network that may be affected by it,” Scheina says.

Reset, reset, reset. This means changing passwords, updating your operating system and removing third-party apps.
Locate the breach. A hack simply isn’t a generic event, but one that usually starts at a precise entry point. “Explore all possible vulnerabilities and locate where and how your system was penetrated.”

Rebuild or eradicate. Once you have the breach in hand, you have two choices: bolster the entry point, or rebuild your system altogether.

It’s a given that hacks are headaches. But before disgruntled customers hack you to bits, turn your attention to what you can currently control: Prevent attacks before they happen, and build a thoughtful, fast-acting strategy in case they do.

Lou Carlozo

Posted In: Customer Service, Management, Technology

Looking for an ACCA QA Accredited Contractor?

Are you a homeowner or building manager?


join now

PLUS It's Risk Free!