Cybersecurity breaches happen every day with disastrous consequences. For small businesses, now the most-targeted segment of business by hackers, a data breach can cost over $900,000 and destroy consumer trust in your brand, a potentially fatal event. Today SecludIT has collaborated with Katherine Luk from HP’s Small Business Solutions team to present some of our recommendations and best practices for small business owners to keep their data safe and their customers’ trust intact. Read on for tips covering public Wifi, physical device protection, IT infrastructure, employee education, and more steps to protect your business!
1. Controlling physical access
Physical access to computers is still a popular method for cyber attacks. The Verizon Data Breach Investigations Report (DBIR) found that in 2016, “an asset is lost over 100 times more frequently than it is stolen.” In these cases, 39% of incidents involve devices stolen directly out of the victim’s own work area. Such an incident occurred in a data breach at Premier Healthcare, where a laptop containing Personally Identifiable Information (PII) on over 200,000 individuals was stolen from the Billing department at the Indiana-based company. Although the laptop was later returned via mail, the possibility for data to be stolen physically rather than digitally remains.
Another physical threat occurs when devices are taken off-premises. The Verizon DBIR reports that in over one-third of physical theft cases, a device was stolen from the employee’s personal vehicle. While there are a myriad of ways to mitigate off-property device theft, the best way to mitigate the damage is through full drive encryption. If your employees regularly need access to sensitive information while off-property, consider investing in specialized commercial devices; HP business laptops offer a wider range of professional security features. Full drive encryption on not only laptops but also removable media such as flash drives and memory cards prevent malicious access of information even if the hardware itself is possessed by hackers.
When disposing of sensitive information, take the appropriate steps to securely remove any PII or sensitive information, either in a digital or physical format. In a worst-case scenario, printed records containing PII belonging to Community Mercy Health Partners (CMHP) were found in a publicly-accessible dumpster, compromising over 90,000 individuals. When disposing of print records, ensure a proper procedure is in place for securely shredding and removing records. While digital hard drives can be wiped (to a point), literally destroying them with drills and hammers guarantees that no data can be retrieved by malicious actors.
2. Controlling information access
Negligence continues to play a huge role in allowing for data breaches to occur. A report on small business cybersecurity practices by the Ponemon Institute found that the most common cause of data incidents was improper handling or procedure from negligent employees or contractors. Furthermore, almost 50% of insider and privilege misuse cases in the 2016 DBIR dataset took months to discover, which would indicate an industry-wide difficulty in identifying and containing these types of breaches.
One of the best ways to monitor your company for these types of leaks is through information access + control. Creating unique accounts and identifiers for every company individual allows your staff to set appropriate access privileges for employees and minimizes the chances of employees accidentally (or intentionally) discovering sensitive information. This also allows for digital forensic investigations to identify and close breaches quickly. Building a regular security inventory into your cybersecurity policy ensures that IT staff is aware of security permissions for employees and mitigates the chances of sensitive information exposure.
One more tip from the Verizon DBIR? Run flash drive audits regularly. Identifying the use of USB drives to steal unauthorized information allows IT staff to find leaks and secure sensitive data. USB ports in general represent an unauthorized security risk, so consider purchasing and deploying USB port blocker hardware on publicly-accessible devices in addition to implementing an employee-wide policy on the use of flash drives for information transfer.
3. Multifactor Authentication and why it’s so effective
Multifactor Authentication (MFA) is quickly being adopted by many mainstream tech companies such as Google + Amazon, and for good reason. A well-implemented MFA system not only prevents unauthorized personnel from accessing your information, but can protect your account in the case of password or credential theft. MFA revolves around three distinct factors: knowledge, possession, and inherent. Combining two or three of these factors creates much stronger security policy in the long run and prevents many common attack pathways. The knowledge factor is typically represented by passwords, security questions, or PINs, relying on individual memorization and knowledge. Possession factors are usually given through physical access or tokens, examples being ID cards or cell phones. In the latter case, a numerical code sent to a phone or other connected device can still constitute a possession factor since knowledge of the code is dependent on possession of the device. Finally, inherent factors are typically based on immutable characteristics of an individual; these are often biometric measurements such as fingerprints captured through laptop fingerprint scanners.
When properly implemented, MFA can protect your information against a wide variety of threats, with the caveat that it has to be put in place before a breach occurs. MFA is especially effective at mitigating damages from password leaks. No one is immune to this type of breach (just ask Mark Zuckerberg!), and while using different passwords for every account is arguably the most effective preventative measure for password leaks, it remains relatively rare: almost 60% of Americans are sharing and reusing passwords according to a recent study from LastPass. Consider implementing MFA into your company’s password policy to ensure only legitimate employees are accessing sensitive information; additionally, make sure these policies are actually being implemented and followed, as the 2016 Ponemon SMB study found that 65% of surveyed companies did not enforced their policies.
4. Working out of the office
Working on the go presents an entirely different challenge when it comes to keeping your information safe; by giving up control of additional information pathways (such as internet connection), more opportunities for theft are created. One specific area to really keep an eye on is internet connection security. To borrow a familiar idiomatic structure: there’s no such thing as “free wifi”, especially if you happen to be sitting in a chain restaurant or café. Not only do many businesses offer free wifi on the condition of collecting your history and other potentially sensitive data, but public wifi in general presents a whole host of security issues. While using a Virtual Private Network (VPN) can mitigate the risk, consider very carefully what data you send over wifi when out of the office.
Even areas purporting to have secure wifi can be breached or infected; hotel business centers are ripe targets for malware and Man in the Middle (MITM) attacks. Sometimes the attack doesn’t even come over wifi; although it sounds obvious, keep in mind other individuals in your physical space when accessing confidential information. Using a secure network does nothing to prevent people standing behind you from seeing sensitive data. Instead, consider purchasing a privacy screen filter (note that some laptops have these built into the screens now) for these types of situations. Ultimately, the best way to keep data secure is to limit the number of times you access it outside of the office. Keeping in mind these best practices can help mitigate but not completely prevent the possibility of a data breach on the road, so use your best judgment when accessing sensitive data.
5. Employee Education + Training
Employees are your first line of defense against many different forms of cyber attacks, including malware, phishing, and other socially-engineered intrusions. Educating your employees to identify and report threats is a critical component of any company’s cybersecurity policy. In addition to a strong password policy (and enforcement!), discovering phishing attempts and reporting them is one of the strongest defenses your company can take to mitigate malware and ransomware threats. Common signs of phishing include slightly misspelled email addresses or originating domains (e.g. g0ogle.com), poorly-written copy in the email itself, and unexpected attachments, especially Microsoft Word documents. Hiding malware in word attachments is quickly becoming a popular door for hackers, so consider disabling Word macros (which allow malicious code to execute locally) or disallowing attachments in company email policy.
Another key giveaway is asking for login credentials or sensitive information over email while claiming to be involved in the company (e.g. phishing or spearphishing). This attack method has tripped up some of the most tech-savvy companies today, including Snapchat; an unknown number of PII records were stolen after a member of the payroll department released payroll information to an email contact purportedly belonging to CEO Evan Spiegel. The Verizon DBIR found almost a third of phishing emails were opened in 2016; around 12% of users went on to enable the attack through downloading malware or clicking the suggested link. Furthermore, only 3% of suspected phishing emails were reported to management, making it difficult to address the problem or alert other employees to the potential threat. When creating your cybersecurity policy, look to encourage reporting of any suspicious emails and creating an open environment to share information across the office. Only after learning about the threat can management take steps to deal with it.
6. Checking security solution configuration
There are many different security solutions. SMEs are aware of cyber risk and are investing more and more (+3.7% in 2015). Today, few SMEs do not have antivirus or firewalls. Some go further by opting for solutions will make additional checks to analyze incoming mail, logs and files integrity. Others prefer to encrypt their data to make them covered in case of successful attacks.
But no solution, so powerful may be, will be effective if it is misconfigured. An example is the addition of an overly permissive firewall configuration rule to allow an application to work.
Furthermore, as many people, such as contractors, can step in on a network, it is difficult to know what configuration has been set up on every part of the network. In order to improve the visibility of network administrators and CISOs, it is necessary to have tools for analyzing the network. Doing a full scan will bring up the information about the network and their respective configurations.
In addition, it is necessary to carry out this in a continuous way because the infrastructure is in perpetual motion. IT managers must have a comprehensive view of the security solutions’ configurations to be able to intervene without risks on them after each evolution.
7. Implementing continuous monitoring: your best friend
Before showing why continuous monitoring is your best friend, let’s say why security audits are outdated.
SMEs that carry out internal security audits (with pentest tools or open source vulnerability assessment) or that involve an outsourcer are in a good dynamic to fight cyber attacks. Indeed, few companies have this good reflex. However, here is what happens:
– First, you check your infrastructure once or twice a year to know your risk level
– Then, you detect a lot of new vulnerabilities which will lead to an important work overload
– Finally, because you do not have an action plan you are going to either waste a lot of time solving all the security issues or address the vulnerabilities that seem most critical to you. (And you pray that untreated vulnerabilities will not be a gateway for hackers)
Even if you’ve done some of the work but your infrastructure is still vulnerable. Why? Because on average 28 new vulnerabilities are detected each day. Do you audit once a year? You will potentially need to remediate 10,317 vulnerabilities during your next audit. If you do it twice a year this figure will be over 5,000 …
This is why it is necessary to set up a solution to detect vulnerabilities continuously. As soon as a new vulnerability is discovered you can remediate it immediately to smooth the workload throughout the year. This approach is really effective because it allows companies to see its cyber risk level reduced to the maximum, as advised by the CIS (center for internet security) with the top 5 controls.
In addition, new security solutions enable you to generate reports that will facilitate your interventions and improve reporting to your management.
8. Improving communication with C-Suite
The position of Chief Information Security Officer is relatively new. This position has a lack of manpower and those who occupy it are CISO because of their experience. It is therefore difficult for the C-Suite to monitor and understand the CISO work or person in charge of security because it is not a technical profile. The effectiveness of a CISO is judged on whether the company is attacked or not.
Different points of view exist because the CISO wants to have a better budget to protect an increasingly exposed infrastructure while the C-Suite does see cyber risk as a cost. Therefore, when an attack occurs, the C-Suite deems that the CISO has not done its job well and is the first responsible.
In order to improve communication, it is essential to put in place understandable key risk indicators to the C-Suite. KRI will allow communicating on the infrastructure cyber risk level to judge if an investment is necessary.
Depending on the degree of risk and the assets affected, a cyber attack can have a deep impact on all activity of the company. Loss of customer’s personal data or an e-commerce website unreachable will cost credibility and money to the company. As sales or marketing departments, the IT department must build KPI as well. The best KRIs allow to follow the cyber risk exposure of the company. They can be determined by security standards such as ANSSI, OWASP, PCI DSS or CIS for example.
These measures give good practices and allow trend analysis that will reduce the risk quickly.
9. Uncovering shadow IT, the ghost vulnerability
SMEs use less and less physical infrastructure, because they want to reduce their IT investments with cloud solutions and outsourced hosting. As a result, they can access new, dynamic and scalable resources. They benefit rapid servers/applications deployment and increased computing capabilities. However, IT infrastructure exhaustive view is difficult to know because servers can be launched to test a project and then forgotten by its owner. They continue to consume resources and are not updated. As Gartner indicates, about 28% of the servers are ghost servers.
On the other hand, to save money, it is easier to stop a server or an application when the company no longer has the use of it in order to restart it later. These dormant resources are gateways for attackers because they are not analyzed before being redeployed. Few security solutions can analyze shadow IT because they need to integrate an automatic discovery mode. IT vulnerabilities on shadow IT must not be overlooked, because about 53% of the successful cyber attacks in the world are exploiting known vulnerabilities.
10. Securing Cloud Computing
Companies often think that the Cloud is less secure than traditional infrastructures because hosting is outsourced and data is available anywhere in the world (for those who have the access). Keep their servers in your own offices can be reassuring. However, on one hand, investment in physical IT infrastructure is expensive and, on the other hand, ensuring operations security is an additional cost.
Cloud service providers (IaaS, PaaS, IaaS), must take care of customers security. In particular, they handle the physical security of servers and buildings, applications, access, identities …
This “first level of security” operates according to shared responsibility. The cloud provider protects its infrastructure and the client must manage its workloads (servers, firewall, network …) to be well configured and to be not vulnerable (updates not performed, known vulnerability not patched for example). The scope of the company’s responsibilities is therefore limited, enabling it to focus more effectively on the workloads.
Companies need to prioritize new vulnerabilities detected in Container or Big Data technologies, such as Docker and Hadoop as well. These technologies are recent but today there are best security practices..
It is certain that the security teams can not be experts with all technologies. They need security solutions that will analyze their cloud infrastructure and ensure that the best security practices are applied. These solutions must take into account the technologies of Docker, Hadoop, and Cloud Workloads while still including traditional infrastructures. Indeed, SMEs can not be overwhelmed by too many different security solutions that result in a loss of time and overall efficiency.
These 10 tips for improving your security are not exhaustive. You need to invest in relevant security solutions according to your needs, because they can be specific to your business (eg PCI DSS certification for an ecommerce website). It is hard for SMB to be experts on all these areas and to handle everything. A good starting point is to do a security or risk assessment in order to build a roadmap for implementation.
Katherine is the Community Outreach Coordinator for HP’s Small Business Solutions team, focused on sharing info and tech best practices. Katherine is passionate about learning new information on the latest in digital innovation, promoting small business cybersecurity policy, and engaging with the tech community.
Sébastien Aucouturier is the VP Engineering for SecludIT team. Its job: a mix of R&D Boss, Senior Technologist, IT Visionary to work on: Proof of Concept & Software Design/Integration. Sébastien is passionate about containers technology and promotes medium-sized enterprises Cloud using.