Kamala Harris, California's Attorney General, issued a set of recommendations for preventing and responding to cyber attacks and security breaches. The recommendations, called Cybersecurity in the Golden State, are directed to small and medium-sized businesses, which often lack the resources of a large IT department but are frequently the targets of cybercriminals. According to the Attorney General's office, 50 percent of all cyber attacks in 2012 were aimed at businesses with fewer than 2,500 employees, and 31 percent were aimed at those with fewer than 250 employees.
Noting that cybercrime is largely opportunistic, the Attorney General encouraged all California businesses to take the following steps:
- Assume You're a Target
Any company, whether big or small, can be the victim of cybercrime, so assume you are a potential target and take basic precautions to protect yourself and your company.
- Lead by Example
Cybersecurity is not simply the domain of the "IT person"; executive management has to get involved. Small business owners should dedicate the time and resources necessary to ensure the safety and security of their information assets.
- Map Your Data
To protect your data effectively, you first need to know the types of data you have and the location of that data. Next, comprehensively review the data you have stored on your IT systems, both on-site and off, and with third parties (include backup storage and cloud computing solutions in your data mapping project). Once you know what data you have and where it is, get rid of what you don't really need.
- Encrypt Your Data
Encrypt the data you need to keep. Machines that handle sensitive information, such as payroll or point of sale (POS) functions, ideally should be on networks or systems that are separate from machines involved with routine services like updating Facebook and checking email.
- Bank Securely
It is essential that small business owners put security first when they engage in online banking. This means that online banking should be performed using only a secure browser connection, and you should erase your web browser cache, temporary Internet files, cookies, and history afterward, so that if your system is compromised, that information will not be accessible by cybercriminals. In addition, take advantage of the security options offered by your financial institution, and set limits on the amounts that can be wired from your accounts.
- Defend Yourself
Guard against single points of failure in any specific technology or protection method. This should include the deployment of regularly updated firewalls, antivirus software, and other Internet security solutions that span all digital devices, from desktop computers to smartphones to tablets. Useful capabilities include the ability to remotely locate or wipe a device that's gone missing and the ability to identify and block never-seen-before attacks using technologies that analyze behavior and/or employ virtualization tools.
- Educate Employees
Raise employees' awareness about the risks of cyber threats, mechanisms for mitigating the risk, and the value of your business's intellectual property and data. Your employees are the first line of defense, and good security training and procedures can reduce the risk of accidental data loss and other insider risks.
- Be Password Wise
Change any default usernames or passwords for computers, printers, routers, smartphones, or other devices. Use strong passwords, and don't let your Internet browser remember your passwords.
- Operate Securely
Keep your systems secure by using layered security defenses and keeping all operating systems and software up to date. Don't install software you did not specifically seek out, and don't download software from untrusted or unknown sources. Also remember to remove or uninstall software you are no longer using.
- Plan for the Worst
Every small business should put together a disaster recovery plan so that when a cyber incident happens, your resources are used wisely and efficiently. Pick an incident response team and assign a leader. Make sure the team includes a member of executive management. Outline the basic steps of your incident response plan by establishing checklists and clear action items.
The Attorney General's recommendations also describe the four categories of cyber threats - social engineering scams, network breaches, physical breaches, and mobile breaches - and detailed guidance for responding to cybersecurity incidents.