SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE

Similar documents
SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE

mhealth SECURITY: STATS AND SOLUTIONS

Data Leak Prevention

Cyber Risks in the Boardroom Conference

Why ESET. We help more than 100,000,000 users worldwide to Enjoy Safer Technology. The only vendor with record-breaking protection

Keeping your VPN protected

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Teradata and Protegrity High-Value Protection for High-Value Data

Sage Data Security Services Directory

Endpoint Protection. ESET Endpoint Antivirus with award winning ESET NOD32 technology delivers superior detection power for your business.

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

Lookout's cybersecurity predictions

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

Why you MUST protect your customer data

Security. Protect your business from security threats with Pearl Technology. The Connection That Matters Most

BEYOND CJIS: ENHANCED SECURITY, NOT JUST COMPLIANCE

2017 Annual Meeting of Members and Board of Directors Meeting

Business White Paper. Healthcare IT In The Cloud: Predicting Threats, Protecting Patient Data

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Security Audit What Why

Integrated Access Management Solutions. Access Televentures

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

CipherCloud CASB+ Connector for ServiceNow

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

How NOT To Get Hacked

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center

The security challenge in a mobile world

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Securing Wireless Mobile Devices. Lamaris Davis. East Carolina University 11/15/2013

Cyber Security Stress Test SUMMARY REPORT

The Cyber War on Small Business

Nine Steps to Smart Security for Small Businesses

How NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity

CYBERSECURITY RISK LOWERING CHECKLIST

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Entertaining & Effective Security Awareness Training

The best for everyday PC users

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Internet of Things Toolkit for Small and Medium Businesses

IT & DATA SECURITY BREACH PREVENTION

Cybersecurity The Evolving Landscape

BRING SPEAR PHISHING PROTECTION TO THE MASSES

10 Hidden IT Risks That Might Threaten Your Business

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

GM Information Security Controls

SECURITY THAT FOLLOWS YOUR FILES ANYWHERE

Effective Strategies for Managing Cybersecurity Risks

Securing Today s Mobile Workforce

Employee Security Awareness Training

Evolution of Spear Phishing. White Paper

Best Practices in Securing a Multicloud World

Built without compromise for users who want it all

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Complying with RBI Guidelines for Wi-Fi Vulnerabilities

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

How Breaches Really Happen

Cyber Insurance: What is your bank doing to manage risk? presented by

Cloud Communications for Healthcare

Protecting your data. EY s approach to data privacy and information security

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

716 West Ave Austin, TX USA

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

CYBERSECURITY: STAYING ONE STEP AHEAD DANIEL D. WHITEHOUSE, ESQ. WHITEHOUSE & COOPER, PLLC

PCI Compliance. What is it? Who uses it? Why is it important?

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Keeping your VPN protected. proven. trusted.

Cyber security tips and self-assessment for business

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.

Cyber and data security How prepared is your charity?

for businesses with more than 25 seats

Disk Encryption Buyers Guide

Keys to a more secure data environment

How to Build a Culture of Security

DIGITAL LIFE E-GUIDE. A Guide to 2013 New Year s Resolutions

Six Ways to Protect your Business in a Mobile World

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

locuz.com SOC Services

The Data Breach: How to Stay Defensible Before, During & After the Incident

What to do if your business is the victim of a data or security breach?

Choosing a Full Disk Encryption solution. A simple first step in preparing your business for GDPR

THE ROLE OF ADVANCED AUTHENTICATION IN CYBERSECURITY FOR CREDIT UNIONS AND BANKS

A practical guide to IT security

Sinu. Your IT Department. Oh, the humanity! The role people play in data security NYC: DC:

CYBER THREATS: REAL ESTATE FRAUD ADVISORY COUNCIL

Understanding the Changing Cybersecurity Problem

Protecting Health Information

June 2 nd, 2016 Security Awareness

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

It s still very important that you take some steps to help keep up security when you re online:

DeMystifying Data Breaches and Information Security Compliance

Transcription:

SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE

Small business cybersecurity survival guide By Stephen Cobb, ESET Senior Security Researcher Computers and the internet bring many benefits to small businesses, but this technology is not without risks. Some risks, like physical theft and natural disasters, can be reduced or controlled through sensible behavior and commonsense precautions. Harder to handle are the cybercrime risks like those posed by criminals who steal information to sell on the black market. Over 70% of security breaches target small/medium businesses, yet many proprietors believe they are not vulnerable to cyberattacks because of their small size and limited assets. 1 Unfortunately, this is not the case. This cybersecurity survival guide will help you defend your business against cybercrime threats. Personal information, that is, information that can be used to commit identity theft, is a common target of criminals. Even the smallest businesses are likely to handle some personal customer or vendor data worth stealing. Another popular target of cyber criminals is account information including credit card data, bank account numbers, online banking passwords, email accounts and user credentials for services such as ebay, PayPal and TurboTax are all at risk. All of these can be sold on the black market to other criminals who specialize in using the information in a wide range of fraud schemes and scams. Consequences of data theft Because most small businesses have account information and personal data that criminals could abuse, you need to remember that your business may be held responsible for the consequences of data theft for example, if information about your customers is stolen and used for fraud. Some data is protected by laws and regulations, like HIPAA and PCI (for medical and credit card data, respectively). Many states also require businesses to report security breaches that expose personal data to potential abuse, whether it s a lost laptop containing customer details, or a thumb drive with medical records. 1 U.S. Small and Medium Sized Business 2014-2018 forecast by IDC 2 3

All of this means that, even though your company may be small, you must take a systematic approach to securing any data that is entrusted to you. As you go about the task of protecting your company s digital assets, you should document your approach. This will help you educate employees about their security responsibilities. Furthermore, it is not uncommon for larger companies to require vendors and contractors to provide proof that they have educated their employees about security, and that they have put appropriate security measures in place. If a security breach does occur, a documented security program helps you prove that you were diligent in your efforts to protect information. Let s look at each step in turn. Assess your assets, risks, resources List all of the computer systems and services that you use. After all, if you don t know what you have, you can t protect it. Be sure to include mobile devices like smartphones and tablets that you and/or your employees may use to access company or customer information. This is especially important since it s estimated that 60% of employees circumvent security features on their mobile devices, and 48% of employees disable their employer-required security settings. 2 Steps to take We ve laid out a systematic approach to cybersecurity for you that goes from A to F. Assess your assets, risks, resources Build your policy Choose your controls Deploy controls Educate employees, execs, vendors Further assess, audit, test And don t forget online services, such as SalesForce, online banking websites, and cloud services such as icloud or Google Docs. Now go through that list and consider the risks related to each item. Who or what is the threat? Another good question to ask is: What could possibly go wrong? Some risks are more likely than others, but list them all and then rank them according to how much damage they could cause and the chances they might occur. 2 The Cost of Insecure Mobile Devices in the Workplace, Ponemon Institute, 2014 4 5

You might seek outside help with this process, which is why you need another list: the resources you can tap for cybersecurity issues. This could be someone on staff who is knowledgeable and security-savvy, or a partner or vendor. Ask your insurance broker (insurance companies are ramping up their cybersecurity knowledge). National trade groups and local business associations also have advice and resources. The National Cyber Security Alliance provides free educational materials, tip sheets and employee training suggestions especially for businesses. Plus, be sure to check in with your local law enforcement and nearest FBI office (you should at least have contact names and numbers to call in case you experience a cybercrime). Finally, make sure all your employees are aware of security best practices by implementing training such as ESET s free online cybersecurity awareness training program. Build your policy A sound security program begins with policy, and policy begins with C-level buy-in. If you re the boss, then you need to let everyone know that you take security seriously and that your firm is committed to protecting the privacy and security of all data that it handles. Next, you need to spell out the policies that you want to enforce, for example, there shall be no unauthorized access to company systems and data, and employees will not be allowed to disable the security settings on their mobile devices. Choose your controls You use controls to enforce policies. For example, to enforce the policy of no unauthorized access to company systems and data, you may choose to control all access to company systems with a unique username, password and some form of twofactor authentication (see sidebar). To control what programs are allowed to run on company computers, you may decide not to give employees administrative rights. Why 2FA? For small businesses in particular, twofactor authentication (2FA) has become an essential element in securing data and preventing breaches. Implementing 2FA adds an extra layer of security by requiring the user to enter a one-time password generated randomly in addition to their username and password. Many of the breaches made public in recent months could have been prevented by having 2FA in place. Even if attackers had managed to infect a computer and steal a password, they would not have been able to access the account associated with it since they didn t know the one-time access code. Adding 2FA to your current security solution not only protects data; it meets compliance requirements for multi-factor authentication and prevents access to lost or stolen laptops and other devices. 6 7

To prevent breaches caused by lost or stolen mobile devices, you could require employees to report such incidents the same day and specify that such devices will be remotely locked and erased immediately. At minimum you will want to use three basic security technologies: Anti-malware software that will prevent malicious code from being downloaded onto your devices Encryption software that will render data on stolen devices inaccessible A two-factor authentication system so that something more than just a username and password is required to gain access to your systems and data. Deploy When you deploy controls, make sure they work. For example, you should have a policy that prohibits unauthorized software on company systems; one of your controls will be anti-malware software that scans for malicious code. Not only do you need to install this and test that it doesn t interfere with normal business operations, you also need to document the procedures you want employees to follow when malicious code is detected. Educate! Your employees need to know more than just the company security policies and procedures. They also need to understand why these are necessary. This means investing in security awareness and education, which is often the single most effective security measure you can implement. By working with your staff, you can raise awareness of issues such as phishing email. A recent study showed that 21% of phishing emails to employees were opened and 16% of recipients opened an attachment 3 both of which greatly increase chances of data breach and information theft. Be sure to educate everyone who uses your systems, including executives, vendors, and partners. And remember that violations of security policies must have consequences. Failure to enforce policies undermines the whole security effort. 3 KnowBe4, 2017 8 9

Further assess, audit, test Cybersecurity for any business, large or small, is an ongoing process, not a one-time project. You should plan on re-assessing your security on a periodic basis, at least once a year. To stay up-to-date on emerging threats, review security news on a regular basis by subscribing to websites like WeLiveSecurity.com, KrebsOnSecurity.com and DarkReading.com. You may need to update your security policies and controls more than once a year depending on changes to the business, such as new vendor relationships, new projects, new hires, or employees departing (such as, making sure that all system access is revoked when anyone leaves the company). Consider hiring an outside consultant to perform a penetration test and security audit to find out where your weak points are and address them. Stephen Cobb has been researching information assurance and data privacy for more than 25 years, advising government agencies and some of the world s largest companies on information security strategy. Cobb also co-founded two successful IT security firms that were acquired by publicly traded companies and is the author of several books and hundreds of articles on information assurance. He has been a Certified Information System Security Professional since 1996 and is based in San Diego as part of the ESET global research team. The current wave of cybercrime is not going to end any time soon, so you need to make an ongoing good faith effort to protect the data and systems that are the lifeblood of today s small business. 10 11

For over 30 years, ESET has been developing industry-leading security software for businesses and consumers worldwide. With security solutions ranging from endpoint and mobile defense to encryption and two-factor authentication, ESET s high-performing, easy-to-use products give users and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running uninterrupted. For more information, visit www.eset.com. 1999-2017 ESET, LLC, d/b/a ESET North America. All rights reserved. ESET, the ESET Logo, ESET android figure, ESET SMART SECURITY, ESET CYBER SECURITY, ESET.COM, ESET.EU, NOD32, SysInspector, ThreatSense, ThreatSense.Net, LiveGrid and LiveGrid logo are trademarks, service marks and/or registered trademarks of ESET, LLC, d/b/a ESET North America and/or ESET, spol. s r. o., in the United States and certain other jurisdictions. Windows is a trademark of the Microsoft group of companies. Mac and the Mac logo are trademarks of Apple Inc., registered in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. All other trademarks and service marks that appear in these pages are the property of their respective owners and are used solely to refer to those companies goods and services. 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback