A computer security specialist from the National Institute of Standards and Technology (NIST) recently addressed a gathering of small and mid-sized business people at the 2015 Cyber Security Summit in Minneapolis. The speaker, Patricia Toth, told her audience that small businesses are vulnerable and are increasingly the target of malicious attacks from cyber hackers.
In 2013, 31 percent of cyberattacks targeted businesses with fewer than 250 employees, Toth reported. Businesses with few security resources and limited access to knowledgeable personnel are especially at risk. A serious episode launched by a cyber adversary can set a company at odds with customers, sometimes forcing the business to close.
Toth listed risks to small businesses, and she introduced a checklist of safeguards to adopt. In a cyberattack, customer trust and operational viability are at stake in three areas critical to businesses that serve the public:
- Confidentiality: Unauthorized access and disclosure
- Integrity: Unauthorized modification and use of stolen data
- Availability: Corruption of key data resulting in disruption, destruction and potential system crash
Especially damaging is the fact that attacks often go unrecognized for long periods of time, heightening the risk of data loss, denial of service and irreparable system corruption.
Many businesses have not established and consistently updated a complete inventory of their equipment, possibly opening the door to hackers because every device that connects to the system is possible point of entry for malware and hackers. And, before a cyber incident, many businesses do not assess the relative value of the information in their databases, making it difficult to assess the extent of damage if data is lost or stolen.
Threat-limiting Processes and Policies
Businesses should adopt standard safeguards, Toth told her audience, beginning by defining and controlling operational issues such as:
- Which employees have access and control of varied cyber assets?
- Have employee background checks been done? Some attacks come from inside organizations.
- Has the organization set up individual user accounts with different identifications and unique passwords?
- Have policies and procedures been established, and are they published in the employee handbook?
Drilling down to specific steps and actions, she prescribed a checklist covering four levels of organizational security:
- Protect the system
- Limit employee access on a “need to know” basis
- Install surge protectors and connect to all devices
- Ensure that patch updates occur regularly for operating systems and applications
- Install firewalls
- Secure all wireless access points
- Set up Web and email filters
- Encrypt sensitive information
- Dispose of equipment safely – smash obsolete hard drives
- Train employees how to protect the information they use
- Detect intrusions
- Install and update anti-virus and anti-spyware utilities
- Maintain and monitor logs to recognize threats
- Train employees on what to look for to identify threats
- Develop disaster plans to address security incidents
- Assign specific roles and responsibilities to personnel involved in security
- Know who to call if a data breach or other attack is identified
- Recognize what activities constitute a cyber security incident
- Make full data backups in case primary source is infected
- Use removable media
- Employ online storage or cloud security procedures
- Test your backup system
- Consider purchasing cyber insurance
An effective organizational cyber security plan should seek to achieve prevention. A good plan can help management avoid loss of credibility and reputation, repair costs and downtime, misinformation about the company, and a weakened organizational ability to innovate.