[BreachExchange] Actions Small Businesses Can Take to Prevent Cyber-Attacks

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 12 14:01:18 EDT 2017


A cyber-attack is an assault by hackers intended to compromise the
functionality of a website or computer network, oftentimes employed in
order to gain access to stored confidential information. Installing viruses
or malware (malicious code), interrupting the functionality of all, or
part, of an online program, or changing a computer’s or phone’s hardware or
software are all forms of cyber-attacks. A small business can take the
following actions in order to protect its company’s website, hardware, and
stored proprietary information.

Maintain Control Over Your Security Chain

The old adage “a chain is as strong as its weakest link” holds true for
Internet security. You need to maintain control over the applicable website
(and company's) entire security change. One weak link leaves a website (and
the company that maintains it) open to attack. Perform network scans
regularly in order to assess all vulnerabilities.

Implement Security and Protection Measures

In order to ward off potential attacks, you should only grant computer
access to those who absolutely require it to fulfill work related
obligations. Have any and all such individuals execute a data protection
and confidentiality agreement. Passwords should be protected as well,
difficult to guess, and frequently changed. Use data encryption and secure
configurations wherever practically possible. All computer network usage by
employees, agents, and other third parties should be closely monitored on a
regular basis. Remote access should never be granted unless absolutely
required to fulfill work duties. Up-to-date anti-virus software should be
loaded onto every computer in the network.

The strength and efficacy of all security measures should be tested on a
regular basis. Monitor and manage all log files to detect, record, and
maintain reports of any security incidents. Develop and implement strong
network security architecture and controls, including network segmentation,
firewalls, intrusion detection services, and data loss prevention software.
Employ security-by-design principles in order to build security directly
into commonly used applications and systems. Cyber liability insurance
should also be obtained in order to protect against financial loss in the
event of any attack.

Involve Law Enforcement Upon Detection of an Attack

Large cyber-attacks should be promptly reported to law enforcement in all
applicable jurisdictions. A company liason should be appointed to supervise
the communications. The following agencies are responsible for handling
Internet crimes: (i) the FBI; (ii) the US Secret Service; (iii) the U.S.
Postal Inspection Service; (iv) The Bureau of Alcohol, Tobacco, and
Firearms; and (v) The US Immigration and Customs Enforcement. The
Department of Justice provides information respecting the appropriate
agency to contact depending upon the type of cybercrime being reported. The
Internet Crime Complaint Center, a partnership between the FBI and the
National White Collar Crime Center, is another excellent resource for
reporting cybercrime.

The primary statutes addressing cybercrime include: (i) the Computer Fraud
and Abuse Act (CFAA), the main federal criminal statute regulating computer
crimes which criminalizes, among other things, accessing a computer or a
computer network in access of one’s authorization; (ii) the Wiretap Act and
Electronic Communications Privacy Act, a federal statute which prohibits
the interception, use, or disclosure of wire and electronic communications;
and (iii) the Stored Communications Act, a federal statute which
criminalizes the intentional, unauthorized access of a facility through
which an electronic communication service is provided.

Additional Actions to Take After a Cyber-Attack

When faced with evidence of a cyber-attack, big or small, make sure to
preserve all evidence. A failure to do so can adversely affect a civil or
criminal action down the road. Someone at the company should also make sure
to prepare and file all legally required disclosures. For example, the SEC
requires public companies to disclose certain data breaches, as does the
Health Information Technology for Economic and Clinical Health Act (HITECH)
and the Gramm-Leach-Bliley Act (GLBA), among other federal statutes.

Security testing should be performed immediately upon learning of an attack
in order to identify the locus of the breach and mitigate damage to the
extent possible. Inform proper personnel designated to handle any such
attacks. Implement an effective incident response plan. Consider engaging
the services of an experienced cyber consultant. And with respect to the
reputational fallout that may ensue, a public relations expert could help
to communicate the attack to the public and confirm that the company is
doing everything possible to mitigate damages and prevent future attacks of
this nature.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170512/97b4a0b7/attachment.html>

More information about the BreachExchange mailing list