Its barely two months into 2014, and weve seen a tremendous number of issues pertaining to privacy and data breach management. At an Online Trust Alliance (OTA) meeting I recently attended, the comment was made that Its not a case of if you will be affected by a breach, its a case of when.
This is sobering commentary for any business that has an electronic business model, which, these days, is basically all of us. Being relatively small or anonymous doesnt guarantee that cybercriminals wont notice you. So where do you turn for assistance and guidance if youre a small organization without deep pockets or resources?
A small business guide to cybersecurity issues
The State of California has published a great resource for businesses: Cybersecurity in the Golden State: How California Businesses Can Protect Against and Respond to Malware, Data Breaches and Other Cyberincidents. The information in this document is applicable to all businesses everywhere, not just in California, and it offers cybersecurity help for SMBs. I strongly encourage you to read it to familiarize yourself with the concepts and all the possible threat issues that could have a detrimental effect on your brand, your reputation, and your ability to conduct legitimate online commerce. It can be difficult and expensive to recover from a privacy breach; prevention is the best course. As the study notes:
According to the 2014 Cost of Cybercrime Study, conducted by the Ponemon Institute, … costs for businesses that are victims of Internetbased attacks have risen 78 percent per year, on average, over the past four years.
10 cybersecurity truths
Heres an edited version of the executive summary of the report:
Relatively small investments in cybersecurity preparedness can yield significant risk reductions. The Guide contains further recommendations for how to prepare an effective cybersecurity incident response plan, but here are the main issues:
Any company, big or small, can be the victim of cybercrime. Just as it has become second nature for most of us to lock our front doors when we leave the house, assume you are a potential target and take basic precautions to protect yourself and your company.
2. Lead by example
Cybersecurity is not the exclusive domain of IT; executive management has to get involved. Small business owners are in the best position to understand their companys network and all the devices that connect to it. This requires dedicating the time and resources necessary to ensure the safety and security of their information assets.
3. Map your data
To effectively protect your data, the report suggests that you first need to know the types of data you have and the location of that data. Comprehensively review the data you have stored on your IT systems, both on site and off, and with third parties (include backup storage and cloud computing solutions in your data mapping project). Once you know what data you have and where it is, take a hard look and get rid of what you dont really need.
4. Encrypt your data
Encrypt the data you need to keep. In basic terms, encrypting data whether its email, photographs, memos, or any other type of electronically-stored information encodes it so that those without the encryption keys cannot read it. Strong encryption technology is now commonly available for free, and it is easy to use. The great advantage to encrypting your data is that it renders it far less susceptible to hacking. Note that machines that handle sensitive information like payroll or point of sale (POS) functions should ideally be on networks or systems separate from machines involved with routine services, like updating Facebook and checking email.
5. Bank securely
The California report includes specific, actionable advice for online banking, including:
- Put security first. Perform online banking using only a secure browser connection (indicated by https and/or a lock visible in the address bar or in the lower right corner of your web browser window). Online banking sessions should be conducted in the private mode of your web browser, and you should erase your web browser cache, temporary Internet files, cookies, and history afterwards so that if your system is compromised that information will not be accessible to cybercriminals.
- Take advantage of the security options offered by your financial institution. Examples include using two-factor authentication to access your account, requiring two authorized individuals to sign off on every transfer of funds, and setting up account notifications by email or text message when certain higher risk activities occur on your account.
- Set limits on wire transfers. Sophisticated transnational criminal organizations are now routinely hacking businesses computers and wiring large sums overseas where they cannot be recovered. To prevent this, set limits on the amount that can be wired from your accounts, and (depending on your business needs) consider asking your bank to require two executive team signatures before sending wire transfers overseas.
6. Defend yourself
In choosing security solutions, guard against single points of failure in any specific technology or protection method. This should include the deployment of regularly updated firewalls, antivirus, and other internet security solutions that span all digital devices, from desktop computers, to smartphones, to tablets.
Devices connected to your network should be secured by multiple layers of defensive technologies that include, but are not limited to, antivirus technology. Seek out comprehensive security solutions that approach security from multiple perspectives so that you are able to manage risk from the full spectrum of threats you may encounter. Useful capabilities include the ability to remotely locate or wipe a device thats gone missing and the ability to identify and block never-seen-before attacks using technologies that analyze behavior and/or employ virtualization tools.
7. Educate employees
Raise employees awareness about the risks of cyberthreats, mechanisms for mitigating the risk, and the value of your businesses’ intellectual property and data. Your employees are the first line of defense, and good security training and procedures can reduce the risk of accidental data loss and other insider risks.
8. Be password wise
Change any default username or passwords for computers, printers, routers, smartphones, or other devices. ANYTHING is better than the default. Specifically, you should use strong passwords and dont let your internet browser remember your passwords.
9. Operate securely
Keep your systems secure by using layered security defenses and keeping all operating systems and software up to date. Dont install software you did not specifically seek out, and dont download software from untrusted or unknown sources. Remember to remove or uninstall software you are no longer using.
10. Plan for the worst
The report notes that every small business should put together a disaster recovery plan so that when a cyber-incident happens, your resources are used wisely and efficiently. Pick an incident response team and assign a leader. Make sure the team includes a member of executive management. Define roles and responsibilities so that everyone is clear as to who is responsible for what should an incident arise. Communicate to everyone at your company who to contact if they suspect a cyber-incident has occurred (or is occurring). Gather and distribute after-hours contact information for your incident response team. Next, outline the basic steps of your incident response plan by establishing checklists and clear action items.
The State of California report goes into social engineering scams, network breaches, physical breaches, and mobile breaches, and includes more detail about secure operations and incident response. Its well worth your time; we are only going to see more issues that affect legitimate businesses in our digital marketplace. So grab a comfortable chair and a hot coffee and study this useful, valuable, readable guide to cybersecurity for small and mid-sized businesses.
Act-On is committed to your privacy and data protection. Take a look at our proactive efforts and industry certifications here.
Top image: “Privacy” by g4114is. Used with permission, under a Creative Commons 2.0 license.