The New Media Institute (NMI) is a research and fact finding organization whose mission is to improve public understanding of issues surrounding the Internet and other forms new media communications. NMI works directly with the news media, researchers, academics, government and industry professionals and serves as a primary resource of facts, statistics and analysis.
Layered Security for Small and Medium Sized Businesses
Small businesses have become some of the most attractive targets today for enterprising cyber thieves. They are among the easiest targets for cybercriminals looking to exploit unprotected customer information, intellectual property, unprotected credit card and social security numbers or simply computing power. The sophistication and technical expertise of “hackers” to recursively scan the internet for unsecured small-business computers to take over and pillage has grown exponentially.
"It used to be that some businesses were small enough to not matter to attackers," says Paul Judge, chief research officer for Barracuda Networks in Campbell, Calif. "But with the volume of the attacks and the automation levels of the attacks, any business that is connected online needs to be prepared with proper security measures."
Cybercrime comes down to one thing: money. It can be either a direct taking by theft of bank information, or indirect by seizing and selling information. Collecting names and passwords are the “data mining” of the cyberhacker. Worse yet, a beginning cybercrook can buy toolkits and get into the business of breaking into businesses without even knowing much about technology. Malware has gotten so automated that all a bad actor needs is to get an infection onto a machine. Once malware takes root, the hacker controls the computer. Much malware simply waits for the user to visit a banking or financial site and then automatically captures log-in information and sends it back.
Even though losses can be fatal, many small businesses fail to make even a cursory attempt to protect their livelihoods. In a poll conducted among roughly 1,500 small businesses by Applied Research on behalf of Symantec, a full one-third of small businesses reported that they didn't even have antivirus software installed on their computers. Among those that do, most tend to rely only on antivirus software, and perhaps a basic network firewall, to ward off the evils of the Internet. They're not enough. Cybercriminals have gotten smart enough to work around and through a lot of antivirus software. Security experts agree that antivirus is a good tool to help root out well-known viruses and block known attacks, but they say businesses need other protections to block the countless new attacks that criminals hatch every day.
Another part of the security problem is the conduct business outside the office. Hotels, coffee shops, and home offices are prime locations for employees to carelessly expose a small business network to outside attack. Many employee computers connect most often outside the businesses’ firewall. Clearly, small businesses need to reset their perspective when it comes to cybersecurity. Layered dynamic security is determining where you are most vulnerable and defending against attack; it is layering security to provide a cocoon around your employees and your business. That vulnerability may be most extreme when you’re outside the office.
There are two basic vectors for current attacks on small and medium sized businesses: the web itself, and email. All it takes is an employee who visits a compromised website or hits “open” on an email that’s targeting their computer. With just one percent of recipients opening a phony email, it’s worth the crook’s time and effort to send them out. Once one user opens the email’s link, the infected computer can be used as a way to attack more computers within the company network, steal information and take over a network.
IT security should start with the least technical step: a threat assessment. Who has access to vital information (bank accounts, credit cards, passwords, etc) in your company? What else besides work does the staff do on their computers? What data is most important to your business? What would hurt you most if it were stolen (intellectual property, legal records, customer information)? Remember. All data is not equal.
The best approach a small to medium sized company can take is a layered and targeted approach to digital security. Once a company knows the digital assets it holds and the risks it faces, security can be layered in a way to maximize return on expenditure and lower your risk of loss. Most importantly, because the greatest risk comes from just two vectors, small and medium sized businesses need to protect those entry points first.
From a technological perspective e-mail and web-filtering technologies are the small business’ first line of defense. You may create some staff hostility in locking down users too tightly, but there are providers that offer a nuanced and dynamic filtering that doesn’t need to be intrusive. Employees may not be able to explore the web freely, but the limits can be gentle.
Protection also starts with making sure systems, both servers and workstations, are configured correctly and updated with patches and service releases as they are issued. This is not just an operating system requirement. Everything from Adobe Acrobat Reader and Java, from Flash to QuickBooks, is regularly subject to upgrades and updates that protect the user. They are an absolute necessity. A large part of the malware out there takes advantage of weaknesses discovered in commercial software to infect your network.
Also, when you buy anti-virus and malware software, or subscribe to filtering services, buy the best. Use business level software and not your home version of Symantec.
Small businesses also should make sure their websites aren't responsible for other businesses' security woes. Many hackers search for vulnerable web applications that will allow them to break into sites and install hidden pieces of code that allow drive-by downloads, i.e. fast-acting infection mechanisms that automatically load malware onto unsuspecting visitors' computers. For this reason, organizations need to be more application security and the methods they use to deliver online services. Employing technologies that provide web application vulnerability scanning and web application firewalls are highly recommended.
Remember, although hackers have perfected their toolbox, sophisticated security services are more affordable. Small businesses do not need an IT security person in-house. They just need to be aware of the problem and have someone else handle it for them. It’s very difficult for a company to do it all on their own. Moreover, companies in the security arena deliver their products differently than they used to; the business of security has become subscription based and constantly updated through the web. The hardware itself, routers and filtering devices, have gotten cheaper and last longer because they are remotely updated through the internet. Some security companies are using their cloud-based infrastructure to host the security hardware and selling small business access to their secure cloud environment.
Ultimately, the one point most small businesses need to internalize the most is that security is about people, their people! Training, oversight, development, and nurturing can make the world of difference in countering outside digital threats. Distracted, unhappy employees don’t have to be malicious to make a network vulnerable; they just need to be careless and inattentive.
Employers also need to realize that as people, their employees have lives. They are engaged in social media and on the internet for both work and play. One of the new great openings for tech crimes is through social exposure. Moreover, a host of small businesses depend on social media sites to get new customers and build their brand. Twitter, Facebook and Instagram all create risks for small business. Many small businesses are on the forefront of technology advancement and they get their customers through the web. Inadequate security can turn a website glitch into a financial disaster.
The most important thing to remember is to layer your approach to security and reinforce those layers that protect what’s vital to your business.
LAYER UPON LAYER
A list of security “points to remember” garnered from our experience at CyberSecure Technologies and from the web:
- Create a security plan, an assessment of the threats you face and the risks your business entails: One of the best available tools is the FCC’s Small Biz Cyber Planner to create a cyber security plan. The Small Biz Cyber Planner is valuable for businesses that lack the resources to hire a dedicated staff member to protect themselves from cyber threats. The tool walks users through a series of questions to determine which cyber security strategies should be included in the planning guide, and generates a customized PDF that serves as a cyber-security strategy template.
- Train everyone in the organization about the threats and risks: Simple, basic security practices are the best. They should be easily understood and easily carried out. They have reasons. Let those reasons be known. Require strong passwords, set up Internet use guidelines, allow for “personal use” but detail what’s appropriate, and make any penalties obvious and well known. And never forget to establish rules on how to handle customer information and protect both customer data and other vital company data.
- Protect your networks from cyber attacks and intrusions: Every computer in the organization should have updated software, web browser, and operating systems that are regularly patched. Commercial software you use for running your business needs to be treated just the way the operating system is: update frequently and apply all available patches.
- Provide firewall security for your Internet connection: The gateway to your network is the combination of your hardware (a router or a router and hardware firewall combination) and software. It monitors network traffic both inbound and outbound. Remember, it can be set so that sending out proprietary data and confidential emails from your company’s network is restricted. Your network’s operating system also provides security through logon passwords and encryption. It also may have a built-in software firewall. All of it is designed to prevent outsiders from accessing data on a private network. Make sure it’s all enabled and the default passwords have been changed. Make sure the subscriptions to any available filtering are up-to-date. And, if your employees work from home, ensure that their home system(s) are protected by a firewall.
- Protect against viruses, spyware, and other malicious code: Install and use antivirus and antispyware software on every computer used in your business. Update it constantly. Use business class anti-virus.
- Backup data regularly: There are both local and internet backup systems available for very modest prices. You need both. A local backup will allow the immediate restoration of even an accidentally erased document. An internet backup can save your business if things go catastrophically wrong. The data you should back up is everything from word processing documents and spreadsheets, to emails, and certainly any customer or businesses databases, financial files, or human resources files your business has accumulated. Most importantly, your financial and tax data needs to be on the top of your backup list. Backup data automatically. Do not assign a staff member to make sure it gets done!
- Control physical access to your computers and create user accounts for each employee: Whether your computers are desktop workstations or laptops make sure access to them is controlled. Prevent use by unauthorized individuals. Laptops are easy targets, as are company smart phones and tablets. Theft of devices with critical company data is among the prime ways massive amounts of customer data has been lost by companies over the last few years.
- Secure Wi-Fi networks: Workplace Wi-Fi networks are a prime target for opportunity based data theft and hacking. Set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router. Switch any WEP (Wired Equivalent Privacy) network to the more secure surrent standard, WPA2 (Wi-Fi Protected Access version 2). Also, use a complex Pre-shared Key (PSK) passphrase for additional security.
- Create a mobile device action plan: Mobile devices carry a lot of sensitive data on your employees and perhaps even your customers. They create significant security risks and management challenges. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment. And enable any ‘remote wiping’ option.
- Employ best practices on payment cards: Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet.
- Limit employee access to data and information, limit authority to install software: Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.
- Passwords and authentication: Require employees to use unique passwords and change passwords every three months. Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multi-factor authentication for your account. Almost every computer and Web-based application requires a key for accessing it. Whether it is the answers to security questions or the passwords make sure you create complex ones to make it difficult for hackers to crack them. For answers to security questions, consider translating them into another language using free online translations tools. This may make them unpredictable and difficult to decipher, and less susceptible to social engineering. Using space before and/or after your passwords is also a good idea to throw the hacker off. That way, even if you write your password down, it would be safe as only you would know that it also needs a space at the front/end. Using a combination of upper and lower cases also helps, apart from using alphanumeric characters and symbols.
- Educate employees about safe social media practices: Depending on what your business does, employees might be introducing competitors to sensitive details about your firm’s internal business. Employees should be taught how to post online in a way that does not reveal any trade secrets to the public or competing businesses. This type of safe social networking can help avoid serious risks to your business.
- Install Encryption Software: If you deal with data pertaining to credit cards, bank accounts, and social security numbers on a daily basis, it makes sense to have an encryption program in place. Encryption keeps data safe by altering information on the computer into unreadable codes.
- Ignore Suspicious Emails: Make it a habit to never open or reply to suspicious-looking emails even if they appear to be from a known sender. Even if you do open the email, do not click on suspicious links or download attachments. Doing so may make you a victim of online financial and identity theft, including ‘phishing scams.’ Phishing emails appear to come from trustworthy senders, such as a bank or someone you may have done business with. Through it, the hacker attempts to acquire your private and financial data like bank account details and credit card numbers.
With both thanks and acknowledgement to the following: