SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE

Similar documents
SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE

mhealth SECURITY: STATS AND SOLUTIONS

Teradata and Protegrity High-Value Protection for High-Value Data

Cyber Risks in the Boardroom Conference

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

Data Leak Prevention

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Why ESET. We help more than 100,000,000 users worldwide to Enjoy Safer Technology. The only vendor with record-breaking protection

Keeping your VPN protected

Sage Data Security Services Directory

Business White Paper. Healthcare IT In The Cloud: Predicting Threats, Protecting Patient Data

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center

The Cyber War on Small Business

2017 Annual Meeting of Members and Board of Directors Meeting

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Integrated Access Management Solutions. Access Televentures

Security. Protect your business from security threats with Pearl Technology. The Connection That Matters Most

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

CipherCloud CASB+ Connector for ServiceNow

How NOT To Get Hacked

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

PCI Compliance. What is it? Who uses it? Why is it important?

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Why you MUST protect your customer data

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Lookout's cybersecurity predictions

Cyber Insurance: What is your bank doing to manage risk? presented by

Cybersecurity The Evolving Landscape

Endpoint Protection. ESET Endpoint Antivirus with award winning ESET NOD32 technology delivers superior detection power for your business.

10 Hidden IT Risks That Might Threaten Your Business

Building a Business Case for Cyber Threat Intelligence. 5Reasons Your. Organization Needs a Risk-Based 5Approach to Cybersecurity

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

How Breaches Really Happen

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Internet of Things Toolkit for Small and Medium Businesses

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

Understanding the Changing Cybersecurity Problem

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

How Cyber-Criminals Steal and Profit from your Data

How NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity

Cyber security tips and self-assessment for business

Security Audit What Why

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

Entertaining & Effective Security Awareness Training

How to Build a Culture of Security

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Employee Security Awareness Training

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Cyber Security Stress Test SUMMARY REPORT

Nine Steps to Smart Security for Small Businesses

CYBERSECURITY RISK LOWERING CHECKLIST

Keys to a more secure data environment

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

IT & DATA SECURITY BREACH PREVENTION

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.

BRING SPEAR PHISHING PROTECTION TO THE MASSES

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

BEYOND CJIS: ENHANCED SECURITY, NOT JUST COMPLIANCE

Computer Security Policy

A Comedy of Errors: Assessing and Managing the Human Element of Cyber Risk

Evolution of Spear Phishing. White Paper

The Data Breach: How to Stay Defensible Before, During & After the Incident

CYBER THREATS: REAL ESTATE FRAUD ADVISORY COUNCIL

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

DeMystifying Data Breaches and Information Security Compliance

A practical guide to IT security

Cyber and data security How prepared is your charity?

NETSURION DEFENSE AGAINST BACKOFF: How Netsurion Effectively Protected Against Threats

Combating Cyber Risk in the Supply Chain

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Must Have Items for Your Cybersecurity or IT Budget in 2018

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

74% 2014 SIEM Efficiency Report. Hunting out IT changes with SIEM

Cloud Communications for Healthcare

CYBERSECURITY: STAYING ONE STEP AHEAD DANIEL D. WHITEHOUSE, ESQ. WHITEHOUSE & COOPER, PLLC

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

Disk Encryption Buyers Guide

GM Information Security Controls

Cyber Security Program

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 1 Introduction to Security

Heavy Vehicle Cyber Security Bulletin

Your security on click Jobs

This Online Gaming Company Didn t Want to Roll the Dice on Security That s Why it Worked with BlackBerry

Cybersecurity and Hospitals: A Board Perspective

716 West Ave Austin, TX USA

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

locuz.com SOC Services

2014 NETWORK SECURITY & CYBER RISK MANAGEMENT: THE THIRD ANNUAL SURVEY OF ENTERPRISE-WIDE CYBER RISK MANAGEMENT PRACTICES IN EUROPE

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

What to do if your business is the victim of a data or security breach?

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Effective Strategies for Managing Cybersecurity Risks

Transcription:

SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE

Small business cybersecurity survival guide By Stephen Cobb, ESET Senior Security Researcher Computers and the internet bring many benefits to small businesses, but this technology is not without risks. Some risks, like physical theft and natural disasters, can be reduced or controlled through sensible behavior and commonsense precautions. Harder to handle are the cybercrime risks like those posed by criminals who steal information to sell on the black market. Over 70% of security breaches target small/medium businesses, yet many proprietors believe they are not vulnerable to cyberattacks because of their small size and limited assets. 1 Unfortunately, this is not the case. LOW HANGING FRUIT * 60% Small to medium sized businesses: The cybercriminal s sweet spot 38 % more security incidents were detected in the U.S. in 2015 than in 2014. 2015 Verizon Data Breach Report True cost of security breaches Business disruption Lost assets inc. intellectual property Lost time and productivity Damage to brand Industry with highest cost per record lost of small businesses will fail within six months after a cyber attack. National Cyber Security Alliance Average cost per record lost This cybersecurity survival guide will help you defend your business against cybercrime threats. Personal information, that is, information that can be used to commit identity theft, is a common target of criminals. Even the smallest businesses are likely to handle some personal customer or vendor data Contributing factors include: Lack of risk awareness Lack of employee training Failure to secure endpoints 71 % of security breaches target small/medium businesses. U.S. Small and Medium Sized Business 2014-2018 forecast by IDC $165 $154 RETAIL INDUSTRY GLOBAL AVERAGE *Source: 2015 Cost of Data Breach Study: Global Analysis 1 U.S. Small and Medium Sized Business 2014-2018 forecast by IDC 2 3

worth stealing. Another popular target of cyber criminals is account information including credit card data, bank account numbers, online banking passwords, email accounts and user credentials for services such as ebay, PayPal and TurboTax are all at risk. All of these can be sold on the black market to other criminals who specialize in using the information in a wide range of fraud schemes and scams. Consequences of data theft Because most small businesses have account information and personal data that criminals could abuse, you need to remember that your business may be held responsible for the consequences of data theft for example, if information about your customers is stolen and used for fraud. Some data is protected by laws and regulations, like HIPAA and PCI (for medical and credit card data, respectively). Many states also require businesses to report security breaches that expose personal data to potential abuse, whether it s a lost laptop containing customer details, or a thumb drive with medical records. All of this means that, even though your company may be small, you must take a systematic approach to securing any data that is entrusted to you. As you go about the task of protecting your company s digital assets, you should document your approach. This will help you educate employees about their security responsibilities. Furthermore, it is not uncommon for larger companies to require vendors and contractors to provide proof that they have educated their employees about security, and that they have put appropriate security measures in place. If a security breach does occur, a documented security program helps you prove that you were diligent in your efforts to protect information. Steps to take We ve laid out a systematic approach to cybersecurity for you that goes from A to F. Assess your assets, risks, resources Build your policy Choose your controls Deploy controls Educate employees, execs, vendors Further assess, audit, test Let s look at each step in turn: 4 5

Assess your assets, risks, resources List all of the computer systems and services that you use. After all, if you don t know what you have, you can t protect it. Be sure to include mobile devices like smartphones and tablets that you and/or your employees may use to access company or customer information. This is especially important since it s estimated that 60% of employees circumvent security features on their mobile devices, and 48% of employees disable their employer-required security settings. 2 And don t forget online services, such as SalesForce, online banking websites, and cloud services such as icloud or Google Docs. Now go through that list and consider the risks related to each item. Who or what is the threat? Another good question to ask is: What could possibly go wrong? Some risks are more likely than others, but list them all and then rank them according to how much damage they could cause and the chances they might occur. You might seek outside help with this process, which is why you need another list: the resources you can tap for cybersecurity issues. This could be someone on staff who is knowledgeable and security-savvy, or a partner or vendor. Ask your insurance broker (insurance companies are ramping up their cybersecurity knowledge). National trade groups and local business associations also have advice and resources. The National Cyber Security Alliance provides free educational materials, tip sheets and employee training suggestions especially for businesses. Plus, be sure to check in with your local law enforcement and nearest FBI office (you should at least have contact names and numbers to call in case you experience a cybercrime). Build your policy A sound security program begins with policy, and policy begins with C-level buy-in. If you re the boss, then you need to let everyone know that you take security seriously and that your firm is committed to protecting the privacy and security of all data that it handles. Next, you need to spell out the policies that you want to enforce, for example, there shall be no unauthorized access to company systems and data, and employees will not be allowed to disable the security settings on their mobile devices. 2 The Cost of Insecure Mobile Devices in the Workplace, Ponemon Institute, 2014 6 7

Choose your controls You use controls to enforce policies. For example, to enforce the policy of no unauthorized access to company systems and data, you may choose to control all access to company systems with a unique username, password and token. To control what programs are allowed to run on company computers, you may decide not to give employees administrative rights. To prevent breaches caused by lost or stolen mobile devices, you could require employees to report such incidents the same day and specify that such devices will be remotely locked and erased immediately. At minimum you will want to use three basic security technologies: Anti-malware software that will prevent malicious code from being downloaded onto your devices Encryption software that will render data on stolen devices inaccessible A two-factor authentication system so that something more than just a username and password is required to gain access to your systems and data. Deploy When you deploy controls, make sure they work. For example, you should have a policy that prohibits unauthorized software on company systems; one of your controls will be anti-malware software that scans for malicious code. Not only do you need to install this and test that it doesn t interfere with normal business operations, you also need to document the procedures you want employees to follow when malicious code is detected. Educate! Your employees need to know more than just the company security policies and procedures. They also need to understand why these are necessary. This means investing in security awareness and education, which is often the single most effective security measure you can implement. By working with your staff, you can raise awareness of issues such as phishing email. A recent study showed that 23% of phishing emails to employees were opened and 11% of recipients opened an attachment 3 both of which greatly increase chances of data breach and information theft. Be sure to educate everyone who uses your systems, including executives, vendors, and partners. And remember that violations of security policies 3 Verizon Data Breach Investigations Report, 2015 8 9

must have consequences. Failure to enforce policies undermines the whole security effort. Further assess, audit, test Cybersecurity for any business, large or small, is an ongoing process, not a one-time project. You should plan on re-assessing your security on a periodic basis, at least once a year. To stay up-to-date on emerging threats, review security news on a regular basis by subscribing to websites like WeLiveSecurity.com, KrebsOnSecurity.com and DarkReading.com. Stephen Cobb has been researching information assurance and data privacy for more than 20 years, advising government agencies and some of the world s largest companies on information security strategy. Cobb also co-founded two successful IT security firms that were acquired by publicly traded companies and is the author of several books and hundreds of articles on information assurance. He has been a Certified Information System Security Professional since 1996 and is based in San Diego as part of the ESET global research team. You may need to update your security policies and controls more than once a year depending on changes to the business, such as new vendor relationships, new projects, new hires, or employees departing (such as, making sure that all system access is revoked when anyone leaves the company). Consider hiring an outside consultant to perform a penetration test and security audit to find out where your weak points are and address them. The current wave of cybercrime is not going to end any time soon, so you need to make an ongoing good faith effort to protect the data and systems that are the lifeblood of today s small business. 10 11

For over 25 years, ESET has been developing industry-leading security software for businesses and consumers worldwide. With security solutions ranging from endpoint and mobile defense to encryption and two-factor authentication, ESET s high-performing, easy-to-use products give users and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running uninterrupted. For more information, visit www.eset.com. 1999-2016 ESET, LLC, d/b/a ESET North America. All rights reserved. ESET, the ESET Logo, ESET SMART SECURITY, ESET CYBER SECURITY, ESET.COM, ESET.EU, NOD32, SysInspector, ThreatSense, ThreatSense.Net, LiveGrid and LiveGrid logo are trademarks, service marks and/or registered trademarks of ESET, LLC, d/b/a ESET North America and/or ESET, spol. s r.o., in the United States and certain other jurisdictions. All other trademarks and service marks that appear in these pages are the property of their respective owners and are used solely to refer to those companies goods and services. 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback