As we have seen all too often, the source of big cyber attacks is a small or medium enterprise (SME). The SME is a ripe target for hackers because those businesses do not have cyber security experts on staff. Many SME owners, not knowing what to do don’t do anything. Target, for example, was one.
One of the challenges with cyber security is that unless the hackers are stupid, have a big ego or are bad technicians, an SME is unlikely to even know that a hacker is inside its network. Big organizations like OMB didn’t know the hackers were inside their network for over a year. Hackers were inside Nortel Networks at the very highest level of the company for ten years before they were discovered and likely contributed to the downfall of the company.
SMEs need to start taking action. While the actions will not STOP all breaches, you have to start the process somewhere. These recommendations from Real Business, the British magazine catering to SMEs, seem like a reasonable start.
One thing that is important to understand – even though you won’t like it. Cyber Security is a never ending battle. Unless you go out of business, the challenges of protecting your business – and more importantly your information and your customer’s information – will never end.
That said, here is the list –
1. Make one person responsible for reviewing and managing risks within your business. Great advice. If no one is responsible, not much will get done. For the really small business, this person will likely have other tasks, but whoever the person is needs to know that the job is important and that they have your direction to spend a significant part of their week working on protecting your systems and network.
2. Establish ownership for data protection and information security and make that person responsible to you as the business owner. While this seems redundant with #1 above, it adds two new dimensions. One, cyber security is about the data. Unless your office is ransacked by a junkie looking to make his or her next score (and that does happen, so physical security is important), hacking is mostly about stealing your data. Hackers cannot get very much money for used computer hardware. I had a great conversation with some business executives about whether or not they should keep some very sensitive personal information. That is a great conversation. The information that you do not keep cannot be hacked. In fact, that may be the only information that you can say with certainty cannot be hacked. Second, the person in #1 needs to report to the business owner. For SMEs, a significant data breach will likely put you out of business. This is not something you delegate. Additionally, if the person you put in charge of risk (which means not just cyber risk) wants to implement a new policy and that policy affects your employees, that policy needs to come from you, the business owner or CEO.
3. Put in place some simple but effective data access policies and controls to systems and key data. We have seen time and again that when hackers compromise someone’s userid and password they have access to everything in the business. While the recent T-Mobile/Experian attack compromised 15 million records, it could have been 10 times worse given the amount of data Experian stores. However, Experian has implemented policies to restrict access to data, so the attackers only (if only is the right word here) got access to the T-Mobile data. The Target attackers were successful because once they got into a vendor management portal, they had access to the point of sale system. That is crazy.
4. Understand your data. Where is your business data and your client data? Since hacking is about the data, you need to understand your data. Where is your data stored? Is it in the cloud? Where in the cloud? Is it a company owned or personal account? How long do you need to keep the data? Who makes sure it gets deleted? Securely deleted? This should generate a lot of questions since I suggest that most businesses do not know where ALL their data is.
5. Ensure password policies are implemented across the business. I was reading an article this morning about a hospital that had an Internet connected smart medical device that stored patient information on it with a password of Password123. If you think that could not happen to you, what is the password to your Internet router? When was the last time you changed it?
6. Train staff to be aware of potential threats, including bogus emails and suspicious requests for information. Most studies say that around 80% of the data loss (both accidental and malicious) is due to human error. People are not cyber security experts. They click on stuff, lose flash drives and other bad stuff. Does your company even have a cyber security employee education program? This cannot be something that you do once when the employee is hired or even once a year. It needs to be constantly reinforced.
7. Take advice from a specialist and review your IT security position to ensure you have a reasonable level of defences against external attacks and malware. No, I did not add this one, it really was in their list. If I added it, it would be number 1. Just like you hire experts to review your financials, cyber risk is an area where outside expertise is likely needed. For example, the article mentions penetration testing (and for those of you who accept credit cards, you have a contractual requirement with your bank to do penetration testing at least once a year), that is likely something that you are not going to have the resources or expertise to do internally. Since getting breached can be a bet the farm problem, use experts.
8. Take an honest view of your capability and consider moving data and applications to a secure hosted environment. This is the only item on the list I have any heartburn with. Not because I don’t trust application service providers. I do. This blog is on an ASP’s system. My problem is that your system can be just as insecure in a hosted environment as if it is in your office. Refer back to recommendation #7.
For those organizations that do not already have an active information security program, this is a good place to start. Understanding that this is a long journey – it will take time, money and being willing to change some of the dangerous behaviors that you and your people engage in today.
Since this is the time of year for lists and resolutions, it would be a great time to start a corporate cyber security program. We can help you with that.
Information for this post came from RealBusiness.