Target, eBay … and You?
Cybersecurity threats are real, even for small businesses
What does your business have in common with Target and eBay? Preferably, not the cybersecurity weaknesses that recently cost millions of dollars, exposed 100 million user records, and created lost consumer confidence that will last for years to come. But your business is just as vulnerable if you are not devoting time to the security task. As the Symantec Internet Security Threat Report noted in its review of 2013, “any business, no matter its size, was a potential target for attackers. This was not a fluke. In 2012, 50 percent of all targeted attacks were aimed at businesses with fewer than 2,500 employees. In fact, the largest growth area for targeted attacks in 2012 was businesses with fewer than 250 employees; 31 percent of all attacks targeted them.”
“C” level executives (CEO, CFO, CTO) must put cybersecurity on their “to do” list. This article removes technical complexity and presents understandable and easily executable best practices as important first steps. If you are doing the basics, congratulations, you are in the top 20 percent. Extending security should follow into every part of the business, from marketing to social media to product deployment.
Understand the Business Risk
The good news is that mistakes are preventable and vulnerabilities are correctable – or, at least, manageable with due diligence. Pay attention to the details of network security and create an action plan as the cornerstone of managing cybersecurity risk. Hackers and thieves are looking for the weakest link. Implementing simple and strategic security policies and procedures can protect you from 98 percent of the threats.
The starting point is knowledge about the data you hold and the risk it brings. Understand the data controls and eliminate unnecessary access. Blind trust is misplaced, and you must provide for audit and validation. Regular audits close vulnerabilities and eliminate malware. Do you audit financial statements? Of course. Validate insurance claims? Certainly. Every valuable corporate resource should be audited, and controls should be triple-checked to ensure proper asset utilization. Alarm and customer data is too precious to rely on processes only.
Data Needs Protection
Guidance from professionals is needed to define the cybersecurity action plan. External experts who live in the gray world of data communications are available in every locale. Look for specialists in your field. Signaling, hosted solutions, credit card processing, HIPAA, DOD, and SEC compliance may all be considerations in your selection of an expert person or firm and may be included in a security audit. Diligent network scrubs and vulnerability scans are important defenses that help to keep a business off the casualty list.
Securing the personal information of customers must be a priority. In addition to credit card and billing data and demographic and contact information, passcodes, when used, must be considered. Since people reuse them, a passcode may provide a hacker access to bank or credit card accounts.
Create an Action Plan
Too often, the complexity of security seems overwhelming. A good place to start is with basic safeguards and vulnerability audits. Recognize that, in 2013, companies took an average of 229 days to detect network malware, according to the Mandiant Threat Report. Several affordable best practices should be implemented, including:
Create a protected perimeter
- Firewall – Protect the castle with a wall. Any network or device that is not under your security control should be separated from your internal networks with firewalls. Purchasing equipment is a start, but make sure the firewall is updated on a continuous basis.
- Intrusion Detection Services (IDS) – Defend the perimeter with active monitoring of activity through the gates. Attacks can delay signals or compromise voice communications. IDS are available from companies that sell firewall services.
- VPN Access – Any internal data that passes outside the perimeter must be secured. Require secure credentials and encryption for all external users that are allowed inside. VPNs are simple and secure.
Know your internal operating environment
- Conduct a network audit – The network design should be fully documented with IP addresses, device names, networks, communication connections, and services. Any IT company should be able to help.
- Create a data map – Where is the credit card information, site data, passcode data, etc. stored? What users/applications have access to that data?
- Passwords – Develop a multi-level plan for secure access to internal equipment (i.e. servers, routers, etc.). Also, plan for individual users accessing or changing any data.
- Remote offices and mobile users – PCs, mobile devices, and branch offices are all part of the security landscape. Remote office connections should be secured outside the firewall if the devices and networks at the location are not under your security control. Develop standards for mobile devices that ensure that company data is secure.
- Desktops and servers – Purchase antivirus and antimalware for every workstation and server.
Improve defenses with active cybersecurity services
- Vulnerability assessments – All Fortune 500 companies use security audits as an anchor for ensuring quality delivery. Changes in devices or employees bring new risks to review. Assessing change and the impact on operations requires continuous vigilance.
- External vulnerability – The first line of defense is the perimeter. Make it secure and conduct semi-annual audits. Large companies often conduct quarterly audits.
- Internal vulnerability – The greatest risk comes from inside the organization. An audit can expose many problems with staff and systems. This is more expensive than an external vulnerability audit and should be done at least annually.
- Device monitoring – Bandwidth utilization and equipment performance measurements are great indicators of potential security problems. In addition, you may find unpatched equipment or users who are abusing access privileges.
Create (and practice) an Incident Response Plan
- Be prepared to act quickly – Once a breach is detected, you must move fast to minimize the damage. During the attack is not the time to figure out what to do. All shifts should be familiar with the response plan and know their roles and responsibilities, including such things as which firewalls to turn off and what cables to unplug. The protection of the automation systems under attack should be as quick and simple as possible.
Looking to the Future
The latest high-tech offerings come with greater risks of exposure and vulnerability through unprotected networks. New products and services must be assessed for risk. IP services increase the risks – even into our kitchens and automobiles – that these new devices create by opening other angles for hackers to attack. Symantec’s 2014 Internet Security Threat Report describes this predicament: “Baby monitors, as well as security cameras and routers, were famously hacked in 2013. Furthermore, security researchers demonstrated attacks against smart televisions, automobiles and medical equipment. This gives us a preview of the security challenge presented by the rapid adoption of the Internet of Things (IoT).”
The goal must be to provide both the most innovative products and the protection that customers deserve. There is no instant solution, nor does one size fit all. Put security into every product and business decision.
And consider putting the annual Internet Security Threat Report on your reading list. It is released each April and is well worth an hour of your time.
The final key step is to commit to a continuing solution through an annual budget. Initial costs for documentation and professional security auditing and vulnerability studies create a baseline for future work. Information such as credit card or medical data will add to the basic security requirements. It is not unusual for companies to spend 0.5 percent of annual sales on business security, much more than even five years ago.
Maintaining a secure environment is like insurance: It’s not something you want to spend money on, but it is something you cannot live without. A severe breach is expensive and potentially devastating. Find the time and resources to implement the above solutions, and you will save a substantial amount in the long run.
The world of cybersecurity was rocked in August by a mega-breach involving 4.5 billion stolen credentials from more than 400,000 websites. Cyber criminals collected data from those various sources, created unique identities, and then matched the data with other stolen information, such as bank accounts. The fallout from this event affects more than 1.2 billion individual identities around the world. It is likely that simple exploits were used against many unprotected sites and a lot of unprotected data.
The Internet of Things is a dangerous place. An ounce of prevention is critical. A pound of cure may be too little, too late.
Hank Goldberg is vice president of Secure Global Solutions (www.secglobe.net). He can be reached at firstname.lastname@example.org.