Source: Results Technology | Michael Gilmore | July 4, 2016
What, me worry? Once, not so long ago, IT security (now commonly rebranded as cybersecurity) was considered the concern of large organizations and governments protecting proprietary information. Antivirus and a decent firewall was enough to protect my small business. “After all, I’m too small to have anything of interest to hackers.”
That is no longer the case. Last year, malware attacks doubled to nearly 8.19 billion instances (Dell 2016 Annual Threat Report). It is frequently estimated that 100% of U.S. businesses have had some level of cybersecurity breach. The new breed of “ransomware” means that hackers don’t care what kind of data you have on your computers, they just know that you care enough to pay a ransom to get it back.
“Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access” (WhatIs.com).
How do you develop a solid Cybersecurity defense in your business? Follow the Five P’s: Policies, Permissions, Patching, People and Program!
Policies are set by management to let everyone know how important data and applications are to your business. These policies should be written documents shared with all employees and vendors that provide IT services to your company.
Policies should be based on a realistic evaluation of your security risk. That risk evaluation should include consideration of data loss (ransomware), data exploitation (loss of reputation, identity theft), direct monetary loss (CEO wire scheme), system downtime and loss of business.
Policies set the standards by which that risk is managed, setting the appropriate level of controls versus cost (actual, lost time, lost efficiency, regulatory penalties). Every business is different, just don’t assume you’re immune.
Set your backup and restoration goals based on business requirements. Provide a safe backup with multiple restore points for recovery from malware encryption.
Don’t forget an actual insurance policy – cyber liability insurance can protect you from the aftermath of a breach. Having solid written policies, procedures and controls can reduce your cost of insurance as well as reduce your likelihood of infection.
You may trust everyone in your company, but it is still important to limit access to data and systems to individuals on a “need to know basis.” This concept of least permissions is not just to limit visibility of data, but to limit potential damage to critical information in the event of a breach. Consider access requirements for all employees and consider the following:
- Assign the least permissions necessary for specific jobs.
- Use strong passwords and change them at least quarterly.
- Limit remote access and manage firewall rules to limit unnecessary internet traffic.
- Limit use of mobile devices – “Malware for the Android ecosystem continued to rise compared to 2014, putting the lion’s share of the smartphone market at risk” (Dell 2016 Annual Threat Report). At the very least, make sure that all employees sign an acceptable use policy for using company mail on a personal phone.
- Keep business separate from pleasure. Don’t use business machines for personal “chores.” Provide guest wireless for smartphones, or a “break room” PC with an internet-only connection that you can reload frequently.
- Don’t ignore physical security – protect data by providing a safe, secure and electronics-friendly space for critical equipment and data storage.
- Implement data encryption on laptops and removable media that can’t be physically secured at all times.
Security patching is critical to a cyber-secure environment. Software and antivirus publishers continually turn out security patches in a race with the bad guys who find new ways to use installed programs and operating systems to their advantage.
The majority of malware infestations can be traced to unpatched systems, or to operating systems that are no longer receiving security patch updates.
A 2015 report from Secunia, a provider of IT security vulnerability management tools, finds that the number of users running unpatched operating systems is 12.6 percent, while the number of users running applications after end-of-life support is nearly six percent. The report also finds that the most exposed programs include Oracle Java, Apple QuickTime, and Adobe Reader. Finally, Secunia reports that 11 percent of the Microsoft Internet Explorer installed are unpatched.
It is not enough to turn on automatic updates. Make sure all systems are patched (Microsoft, Adobe, Java and all browsers) and antivirus current. One unpatched computer is all it takes.
Keep antivirus active and with current definitions. A best practice is to run a separate malware scan on a regular basis. And remember, it’s not just for Windows anymore, instances of malware are growing on Apple and Android systems rapidly.
Here’s a hard truth…even with the best firewall, antivirus and fully security-patched systems, you are still vulnerable to malware and phishing attempts. All it takes is one ill-advised click on an email, attachment or web-link. Easily obtainable tools (exploit kits) give “attackers limitless opportunities to target the latest zero-day vulnerabilities, including those appearing in Adobe Flash, Adobe Reader and Microsoft Silverlight” (Dell 2016 Annual Threat Report).
What’s the answer? Train your people on security awareness to recognize phishing attempts and resist clicking. Phishing is the number one vector for malware infestation. On June 1, 2016 CSO published anarticle about a Phishme report which reveals a whopping 93 percent of all phishing emails contain ransomware. To make matters worse, endpoint security tools are not catching up with the now more than 100 different ransomware strains (KnowBe4).
Security Awareness is the single, most effective step you can take to protect your business from external threats. A training program with regular refreshing provides instruction on recognizing warning signs of phishing and reinforces the basic rule to “think before you click.”
It’s a great idea to follow-up training with regular testing by sending realistic but benign phishing emails to see who’s click-prone, and to keep employees on their toes!
The last “P” program. It is necessary to continually revisit all aspects of cybersecurity on a regular basis. Roll all of these components into a comprehensive IT security Program that you review and renew on an annual basis:
- Assess your security risk.
- Set and enforce policies based on that risk.
- Set permissions to limit potential data loss or security breach.
- Patch all systems and keep them current.
- Train your people to recognize and avoid phishing attempts. Regularly review and repeat the cycle.
And remember, you’re not alone.