[BreachExchange] Think You’re Too Small for a Security Threat? Think Again.

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 24 20:07:15 EDT 2016


http://hackerspace.kinja.com/think-you-re-too-small-for-a-security-threat-think-aga-1778369583

Recently, my debit card was compromised — not at a big box retailer but at
a small gift shop that I often frequent. When I had the conversation with
my card company and got the fraudulent charges removed, I stated my
surprise that a small business would be the victim of hacking — it seemed
that only the “big boys” like Target were the goals of these criminals.

What that fraud pro told me was an eye opener. He said that, actually, it
is often the small businesses, especially those online, that are the most
frequent victims. Why? Because they don’t have the money, the IT team, or
the savvy to implement good security measures.

If you are a small-business owner or a solopreneur, take note. Once you
have a security breach, and customer data is compromised, you may very well
lose those customers forever — their level of trust has just died. Credit
card users want to feel that the companies they do business with are
protecting them.

How to Tackle Security — 10 Steps to Take

First of all, realize that you face the same threats that big businesses
do. So the security that you put in place has to be just as rigorous as
theirs. This is tough when you are small, but you can find outside security
software companies that will work with you and make this as affordable as
possible.

Consider the alternative — a security breach that loses customers and costs
you a great deal of money to repair. Whether you tackle security by
yourself or contract out, here are the 10 key steps that must be taken.

1. Educate Yourself

Where is your important data stored? Are you using traditional desktop
servers or the cloud? How secure is this storage, really? And no matter
which one you are using, have you documented the access permissions that
you have given to other employees? And can those employees access your data
through BYOD platforms?

This documentation will lay the framework for the rest of what you do
relative to security — particularly in terms of disaster and back-up
recovery plans.

2. Have a Back-Up Process and Automate It

Bad things can happen. Whether your systems or you cloud server crashes,
there needs to be backup. This can be in-house backups on external drives
or through storage in multiple cloud servers, which is what many businesses
have chosen. It is unlikely that both of them would go down at the same
time.

The point is you must have access to your data if these events occur. If
you automate that backup, it occurs every day without you having to
remember to do it. It’s a rather simple process to put into place and many
reasonable software solutions from which to choose.

3. Train Yourself and All Team Members in the Latest Cyberattack Tactics

Unfortunately, banks are far less sympathetic to businesses than they are
to consumers when data is breached and customer financial information is
compromised. Besides skimming customer data, the other threat is that
hackers can access your banking accounts and empty them.

Most cyberattacks occur through “phishing” emails or as a result of using
business hardware for personal purposes. Putting spam filters in place
helps, but everyone in the office needs to be directed never to open an
email that appears the least bit suspicious or not connected to business
operations. You should also consider web-surfing controls on all devices. A
third option, which you should consider, is the use of only one device for
online funds transfers.

4. Networked Devices Need Firewalls

If a virus or malware or a hacker attacks one device and you are networked,
then all are infected. Even the individual using his/her own device
remotely who accesses your data is compromised. To combat this, use
technology like “whitelisting” to prevent downloads. And be certain to get
outside help to patch any breaches as soon as they are discovered.

5. Data Encryption Is a Must

It’s the law. Keep updated on the PCI guidelines. If you gather any
personal information or engage in any payment card transactions, you have
to comply with existing law. If you need legal advice or the services of an
outside security tech consultant, pay the price and get it. Ignoring
encryption is not an option.

6. Wipe Before Disposal

This should go without saying, but be mindful that when you replace
hardware, the old has to be wiped. The same goes for any of your team
members that have used their BYOD hardware to access company data.

7. Giving Access to Employees

If you’re a solopreneur and you never share access with anyone, you have
only yourself to worry about. However, as you scale and add employees, you
have to think about this very carefully. You must document exactly the
access you are giving to each employee, and each employee must have his/her
own unique and uncommon passcodes.

Never have a universal passcode — you will not be able to determine where
the data breach came from or who might be an internal bad guy. Some small
businesses are now using a dual-authentication system when really sensitive
information is accessed.

And never forget — when an employee leaves, passcodes and credentials must
be de-commissioned immediately. The same goes for clients to whom you may
have given access to any of your non-sensitive data.

8. Mobile Devices — The Worst Security Disruption of All

Even the big guys are struggling with his. With so many employees working
remotely from their own devices, and having access to company data, how do
you ensure security? The other issue is a legal one. If an individual is
using his/her own device, it is not hardware issued by the company and
therefore the company may not have much control or recourse over its use,
especially if access to data was freely given by the company. Some large
companies are experimenting with data segmentation options, but these are
in the early stages and as yet way too expensive for a small business.

Much of this boils down to trust in an employee. Never give any employee
access to your data, either in-house or remotely, unless you have complete
trust. If they need to access data in-house, provide that through passcodes
and credentials that you hold securely.

9. Physical Access of Outsiders

If you have a small office, there is usually a strong personal relationship
among team members. And often, friends and/or family members may stop by.
All team members must be trained, under pain of penalty, to close out any
screens that hold secure data when an outsider enters, no matter how well
they may know that person. It’s just a cardinal rule that must be enforced
consistently. And, at the end of the day, all computers are shut down — no
exceptions. You don’t know the cleaning crew, for example.

10. Think Like the Big Guys

You may be small, or you may be all on your own. But security is critical
whether you have 50 customers or 100,000 customers, whether you have two
computers or 1,000, whether you use one cloud storage service or another.
If you develop good policy relative to security and you and all your
employees follow that policy without exception, you have a much better
chance of protecting your data. And get the security tools that are best
suited for your situation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160524/75965af4/attachment.html>


More information about the BreachExchange mailing list