As we start the new year, we look back on countless examples of large and small companies falling victim to cyber security breaches. While the largest cases (often with tens of millions of stolen records) get the headlines, last year was no different than previous years and thousands of smaller companies were hit by breaches, extortion attempts, and employee misuse of data. In what has become a “tip of the iceberg” wave of security breach reporting, most companies suffer the effects quietly.
What’s clear is that protecting the electronic data your business relies on is more important than ever and the monetary, reputation, and regulatory risks are rising. Many businesses that experience cyber security breaches never recover from the loss of customers, revenue and reputation.
Businesses and non-profits should take pro-active steps each year and throughout the year to ensure they are exercising due care for the information they hold. Doing so will decrease the real risk of a cyber security breach in your company and put you in the best position to respond quickly and effectively if a breach does occur. The goals are avoidance and the ability to minimize the monetary losses and regulatory penalties should an event occur.
Steps for Business Leaders
Perform an Information Security Risk Assessment – Business leadership and I/T management should sit down and make a list of any “personally identifiable information”, “trade secrets” or “intellectual property” you rely on in your business. Where is it stored? How is it protected? What would happen if it were shared publically, stolen, or lost? Even if you don’t hold payment card or health care information, forty-six (46) states have data privacy laws and require compliance from any firm that does business with their residents.
Identify an Information Security and Privacy Officer – As a business risk, this doesn’t have to be someone in I/T or even someone in-house, but shouldn’t be someone focused on selling I/T products. The key is to have someone that regularly helps the organization work through information risk management and follows up on operational security activities and incident response planning and resolution. An Information Security Officer can help organizations avoid risk and assure business partners, customers, and regulators that a reasonable standard of care is in place for handling sensitive information.
Establish a Cyber Security Incident Response Plan – At times it can feel like cyber security incidents are purely I/T matters, but the Incident Response Plan must include business leaders, counsel and technical resources. A good incident response plan accommodates the more frequent yet lower impact I/T security incidents, but also prepares the organization for the potential of larger issues.
Security Test your Website, Networks, and Firewalls – Asking your I/T provider to perform their own tests can yield useful information, but often the conflict of interest between I/T support and security audit means critical risks can be overlooked. Schedule a network penetration test or vulnerability scan with an outside party at least annually so you can improve security and assure partners of good practices. If your vendors say they do annual tests, now is a great time to ask for the latest copy of that validation and keep it on file.
Policies – Review policies to ensure you have rules and guidelines for employees and contractors. With policies in place, make sure everyone has reviewed them at least once a year. Legal protections for sensitive information depend on proving the business treats information as valuable and informs staff and vendors of expectations.
Steps for I/T Managers or leaders responsible for Managing I/T vendors
Organizations large enough to have I/T support and leadership in-house are often challenged to balance the traditional role of I/T (enabling the business and improving productivity) with the risk management focus of information security. Smaller organizations may not have dedicated I/T support and may rely exclusively on I/T support companies for services. In all situations, the end of the year is a good time to plan or conduct a few key activities:
Patching Operating Systems - Have your I/T team or provider verify that PCs are running an operating system that is currently supported. For example, in April of 2014 Microsoft stopped providing security patches for Windows XP. While companies don’t need to run the latest version of Windows, running one that still receives patches is critical.
Anti-Virus / Malware Protection / Personal Firewalls – Check to see if PCs are running the latest updates of protection software. Like an operating system, this doesn’t mean the latest version available from the vendor, but it should be a supported version and receiving regular updates on virus signatures and malware profiles.
Backing up and Protecting Data
Testing Backups - If you’ve completed a risk assessment, you should have a good idea where your critical data resides and be backing it up to disk, tape or the cloud. Testing your backup regularly is key to knowing it will be there when you need it most. Choose a small test file on key systems that is backed up on a schedule and then restored to confirm the process works end-to-end.
Network, Server, and Firewall Security
Patching Servers and Firewalls - Just like PCs, devices like servers, routers and firewalls have software that contains software bugs. Check for updates to the software and even if it can’t be patched immediately, get the upgrades on the calendar and plan the work.
Secure Wi-Fi – Make sure networks are secured with non-WEP encryption and network passwords are changed regularly. If your wireless router supports multiple networks, create a separate wireless network not connected to your internal network for guests and business visitors. Keys on guest networks can be changed less frequently. Keys for networks connected to the businesses internal network should be changed at least when employees leave the organization or more frequently throughout the year to ensure unauthorized users don’t connect to your network.
Facility and Physical Security
Lock it Up - Keeping sensitive information safe starts with keeping your facilities, data centers and wiring closets secure. Perform a walk around and look for any removable media (disks, DVDs/CDs, tapes, flash drives) that are left out in I/T support areas, employee work areas, wiring closets, or server rooms. Removable media should have a permanent lockable designated storage area and access to servers, firewalls and network devices should be limited.
Vendors and Log Reviews
Hold Vendors Accountable – Many companies outsource some or all of their I/T support to outside firms. Request an annual report from vendors. If they manage firewalls, email services (spam filtering), or other activities request a written verification that they’ve reviewed logs related to your systems for unusual activity and brought it to your attention. Ask if there are any software upgrades on the systems they support for you and if available get them on a schedule for future implementation.