Most self-storage operators make facility security a priority. Features like perimeter fencing, surveillance cameras and lighting go a long way toward warding off intruders and protecting tenants’ property. But while those are prudent steps for defending your physical site, it’s just as important to protect your business and customer data from online threats.
As facility operators increasingly rely on websites, cloud services and online payments, they must also meet the danger posed by cyberattacks. From holding computers hostage to stealing customer data, cybercriminals can hurt a self-storage business financially and create major headaches for staff and tenants.
During the coronavirus pandemic, incidents of cybercrime have increased significantly, and attacks have grown more sophisticated. The Federal Trade Commission recorded more than 1.4 million identity-fraud cases in 2020, more than double the previous year. The shift by many companies to remote-working environments has created new opportunities for criminals to infiltrate businesses, with assaults expected to increase this year.
The Biggest Threats
Small- to mid-sized businesses, like many self-storage operations, make a particularly attractive target for cybercriminals. While larger companies may have departments dedicated to thwarting attacks, smaller ones don’t have those capabilities or resources. Following are the types of scams and vulnerabilities most likely to impact your facility:
Ransomware. These attacks have grown in the last few years and show no signs of slowing. In this case, the virtual assailant is able to take complete control of your computer and prevent you from accessing your own data. You then face an ultimatum of paying a ransom to the attacker or having all of your data destroyed. Ransomware can cost anywhere from $5,000 to hundreds of thousands of dollars or more, not including the expense of mitigating the resulting damage.
Spearfishing. This is a technique hackers use to trick people into giving up passwords or other sensitive information. Fraudsters will send an email or text message that prompts the recipient to perform an action such as downloading a piece of malware or giving away a password by logging into a fake website.
Spearfishing is an evolution of the original phishing scams. What sets it apart is attackers use highly targeted messages that often address recipients by name. They may also impersonate someone the victim works with, such as a manager or owner. Spearfishers cleverly mask themselves, making it appear as if their communications are from a trusted source, such as a government agency, bank or a company familiar to the target.
Cryptomining malware. This is another emerging threat affecting small to mid-size businesses. In such an attack, a hidden piece of malware code is downloaded to the victim’s computer. In the background, the code will “mine” cryptocurrency tokens for the attacker using extra processing power. This not only slows the computer, it opens opportunities for further attacks, such as stealing customer credit card information.
Cloud vulnerability. As more self-storage operators adopt the use of cloud services, this becomes another place where cybercriminals can steal data. They aim to gain access to organizations that do business with cloud-service providers. Hackers also infiltrate online accounts using stolen passwords and other techniques. If they can access one account, such as someone’s email, they can often use that information to break into multiple accounts across different services.
Endpoint attacks. When employees take a company laptop home or use a smartphone for work-related tasks, this is another way cybercriminals can gain access to business networks. In fact, it’s one of the easiest ways to infiltrate an organization since remote employees often transmit data outside of their business’ secured network.
Warding Off an Attack
Just like a physical burglary, a cyberattack is often a crime of opportunity. Think about your self-storage facility. A determined thief can break almost any unit lock, if they have enough time and patience; but most will look for a unit that’s unlocked, as it’s faster and easier.
This is also true in cybercrime. Attackers look for companies with weak defenses and quickly move on if an attempt doesn’t succeed. Don’t be their next easy target! The following measures will go a long way toward warding off threats. While these are the minimum steps to protect your business, they provide a good foundation from which to further develop your cyberdefenses.
Prioritize training. Malware or ransomware often lands on computers due to an honest mistake made by an employee carrying out routine business. Malicious emails and text scams can easily fool the untrained eye. This is why it’s beneficial to conduct routine cybersecurity training with staff. Teach them to identify fraudulent and suspicious emails and take appropriate steps in response. Remember the old saying: An ounce of prevention is worth a pound of cure.
Use two-factor authentication. One common way cybercriminals gain access to data is by infiltrating email and resetting passwords to cloud services, bank accounts or other secure platforms. Enabling two- or multi-factor authentication for all your accounts and services is a must when using software that stores sensitive data such as customer payment information.
With additional authentication, the person attempting to log in must further affirm their identity by inputting a generated code that’s typically sent to their known email or phone number. This additional layer of security usually kicks in when someone tries to log into a platform from an unknown computer or new location.
Secure wireless networks. Most cyberattacks come through a network connection. A network is formed whenever two or more computers are connected to each other. To prevent unwanted access, your first and foremost line of protection is an active firewall, which can be configured to limit inbound and outbound traffic, blocking any sources that aren’t required for business purposes.
All Wi-Fi networks should be password-protected using WPA2 or WPA3 encryption. Change passwords regularly, and keep all network devices updated with the most recent software and firmware to minimize vulnerabilities.
Fortify endpoints. Laptops, tablets and smartphones are all endpoint devices. They can connect to critical data infrastructure, which means they must be secure. Extra precautions should be taken if they’re used offsite, where they could easily fall into the wrong hands. Self-storage operators can minimize the threat of an endpoint attack by doing the following:
- Use a robust security solution, such as Crowdstrike or FireEye, that provides advanced endpoint protection on company devices.
- Verify that all endpoint devices are using full-disk encryption. This ensures that data can’t be accessed if a device is lost or stolen.
- Enable individual user accounts for all computers, and don’t allow staff to use an admin-level account for day-to-day business tasks.
Back up your data. Back up vital business data daily to an external drive that isn’t connected to the network. This allows for smooth continuity of operation if a ransomware attack occurs.
Working With Service Providers
Of course, central to your defense against cyberattacks is your ability to pick reputable vendors that offer reliable service and implement effective security measures to protect data.
Cloud providers. When you connect to the cloud, you’re entrusting your data to be handled securely by another party. Understanding and reviewing the cybersecurity practices of your vendor partners is your responsibility and shouldn’t be ignored. Questions to ask include:
- With what hosting providers is cloud data stored?
- What security standards are used within the software production environment?
- Is network traffic monitored 24/7?
- What is the reporting process for security incidents?
- What type of data encryption is used?
- What type of support do you provide in response to an incident?
Email vendors. Don’t skimp when it comes to choosing a partner in this area. Reputable vendors such as Microsoft and Google are ahead of the curve when it comes to responding to the latest attacks. Self-storage operators will benefit from an email host that detects and blocks malicious emails and other security controls.
Keep software up to date. Software developers frequently provide patches and updates designed to protect against the latest threats and newly discovered vulnerabilities. Most operating systems and software programs will automatically download and install updates. An easy way to keep your cyberdefenses strong is to make sure your systems are set up to receive automatic updates.
One recent survey found that 60% of small businesses lack a cybersecurity policy. Don’t be one of them! Take the steps to understand where your self-storage operation is most vulnerable and set up defenses to protect vital business and customer data.
Al Harris is the editor of Storage Beat and content manager at Storable, an Austin, Texas-based supplier of cloud-based access control as well as management software, marketing services, payment processing, website development and other services. He obtained his degree in journalism from Virginia Commonwealth University. He loves reading Elmore Leonard novels and listening to classic country music. For more information, call 888.403.0665; email [email protected].