A cyber incident will happen to your company. It is not a matter of if, but when. Small businesses make an appealing target because hackers know they don’t spend as much on security as larger businesses and are not as careful.
According to a Towergate Insurance study, 82 percent of small business owners claim that they are not targets for attack because there is nothing worth stealing. However, employee personal data and health information and customer data are always worth stealing. Symantec reports that 43 percent of cyber-attacks worldwide in 2016 were against small businesses with less than 250 workers. In fact, cyber crooks try to rob bank accounts via wire transfers, steal customers’ personal identify information, file fraudulent tax returns, commit Medicare fraud, etc.
IBM estimates that nearly two-thirds of all cyber-attacks hit small to mid-sized businesses. More disturbing, the U.S. National Cyber Security Alliance estimates that about 60 percent of those hit are forced to close six months after an attack. A 2016 Poneman Institute Breach Report advises that the average price a small business has to pay after a cyber attack is about $690,000.
According to the 2017 Verizon Data Breach Investigations Report:
- 75 percent of the breaches were perpetrated by outsiders (with 51 percent involving organized criminal groups) and the remaining involved internal actors.
- 62 percent of the breaches involved hacking
- 81 percent of breaches involving hacking leveraged stolen and/or weak passwords
- Not surprising, malware installed via malicious email attachments was present in 50 percent of the breaches involving hacking
- The victims of data breaches are:
- Financial organizations (24 percent)
- Health care organizations (15 percent)
- Public sector entities (12 percent)
- Retail and accommodations (15 percent)
- One in 14 users are tricked into following a link or opening an attachment with 25 percent of the users making the same mistake twice
It’s all about the money: Perpetrators of data breaches steal and exploit sensitive data for financial gain. They are opportunistic, using phishing to poke for weak points to use as entry points. Phishing, the most common tool, involves collecting sensitive information like login credentials and credit card information through legitimate-looking but fraudulent websites. Ninety-five percent of phishing attacks led to a breach that was followed by the installation of some sort of malicious software (malware).
Small to mid-sized businesses can take preventive steps to minimize damage. Here are 20 tactics to employ to protect your data.
20 Simple Strategies for Cybersecurity
- Set strong passwords. The longer, the better with at least 12 characters. Mix symbols, numbers and capital letters into the middle of the password, not at the beginning or the end. Create chapters out of your life story using the first letters etc. Don’t use the same passwords for every account. If you put all of your passwords in one box, it will be easier to attack.
- Back Up Your Data. Test whether you really can restore data as promised. Have a tiered or distributed backup solution that keeps several copies of backup files in different locations (Cloud and physical) and on different media.
- Train, train and train some more. Train staff on these strategies plus easy old-fashioned habits. Employees should lock room and file cabinets where records are kept, refer suspicious calls to trained employees, and report suspicious attempts to obtain proprietary information to designated personnel. Employees should not share or post employee passwords.
- Keep data on a “need to know” basis. Prevent the employee saboteur from accessing restricted areas.
- Patch and Monitor
- Software updates. Patch promptly. Maintain up-to-date and appropriate programs and controls to prevent unauthorized access. Keep your operating system, browser, and software up to date. Use antivirus and anti-spyware software that updates automatically, maintain up to date firewalls, regularly ensure that ports not used for business are closed, and immediately share up-to-date intrusion detection systems with your employees. Insert a dummy account into each of your customer lists and monitor the account to detect any unauthorized contacts or changes
- Monitor your network. Diligently watch activity on your network and monitor use of data. Look for large incoming and outgoing data transfers. Keep an inventory of company computers and any other equipment on which customer information or your trade secrets or proprietary information is stored.
- Denial of service systems. Check to see if you have denial of service mitigation services in place to thwart attacks.
- Establish a sensitive data policy. Create—and enforce—a formal procedure for disposing of sensitive data and a “four-eyes” policy before publishing information. Wherever possible, avoid storing sensitive customer data on a computer with an internet connection. Policies and procedures that touch data security should be from the top-down. Understand the different classes of data and the sensitivity of each one, and then design your processes accordingly.
- Encrypt data whenever possible. Encryption is one of the most effective data security methods used by organizations. Data encryption solutions can encrypt devices, email, and data itself. In addition to encrypting data, establish a corporate culture that frowns on printing out sensitive data.
- Use two-factor authentication. Encourage customers to vary passwords and use two-factor authentication. Two-factor authentication requires both your password and an additional piece of information to log into your account. The second piece could be a code sent to your phone, or a random number generated by an app or a token. Limit amount of sensitive information stored in web-facing applications.
- Verify requests for information. Every time someone asks for information, whether in an email, text, phone call, or web form, think about whether you can trust the request and how, if at all, you can verify. No one in accounting should respond to a request for payment via unauthorized processes. Always pick up the phone and investigate all check requests.
- Keep devices next to you. Never leave your laptop, phone or other devices unattended in public, even locked in a car. Be wary of free Wi-Fi; you could be logging onto a hacker’s Wi-Fi at Starbucks. You can turn on device encryption to encrypt all data on your devices. To protect your information when using wireless hotspots, send information only to websites that are fully encrypted – look for https on every page. Avoid using mobile apps that require sharing personal or financial information over public Wi-Fi. Use password-activated screen savers to lock computers after a period of inactivity.
- Use encrypted websites for ecommerce. Only buy from encrypted websites – look for https on every page. Ensure that the owner of the website is actually reputable and is who they say they are.
- Establish data access procedures for onboarding or terminated/no longer employed (NLE) employees. Establish data access procedures for onboarding new employees. Establish data restriction/termination of access procedures for those terminated/NLE.
- Create an incident response plan. Institute and practice an incident response plan.
- Maintain security for your mobile devices. Turn on device’s auto-lock. Store as little as possible on device and back up information to the Cloud. Notify your employer immediately if your device is stolen or lost. Keep Bluetooth out of discover mode when not in use. Use basic security common sense.
- Conduct a risk analysis and risk assessment test. Have an outside firm do a penetration test (live hacking engagement). Risk assessment is an exercise that can be done by a third party or an in-house resource, but it’s a process that has more to do with identifying and often quantifying risks and mitigations.
- Create telecommuting policies. Develop policies for employees who telecommute. Where is sensitive data stored in employee’s home?
- Follow disposal and data retention rules for consumer information. Follow the FTC’s Disposal Rule for consumer information as well as state laws in 31 states for data disposal. Different federal rules regarding data retention apply for different industries (e.g., HIPAA, GLBA, etc.).
- Perform due diligence. Before entering into agreements and partnership with entities you may be subcontracting with or joint venturing/purchasing, perform due diligence. Carefully review Business Associate Agreements. Ask the vendor specific questions about annual risk assessments, training of employees, and encryption, and insist on indemnification.
- Purchase cyber security insurance. Check it out. Insurance should cover both internal and external related losses. Internal losses would include business interruption expenses, legal expense, loss of digital assets, and security event response costs. External losses would include coverage for third party damages, credit monitoring expenses, postage, advertising and customer notification.
Once hacked, a business needs to review the various state and foreign countries where their customers reside. Contact databases have to be created, a determination of all regulatory requirements need to be made, outside experts need to be engaged, postal and notification costs have to be determined, and email bounce backs and inbound communications set up.