All Blogs
Whatever your place of business, whether it’s a large or small organization, healthcare provider, academic institution or government agency – creating a culture of cybersecurity from the breakroom to the board room is essential and a shared responsibility among all employees.
Every organization needs a plan for employee education, training and awareness that emphasizes risk management, resistance and resilience. Week 2 will showcase how businesses of all types can protect themselves, their employees and their customers against the most common cyber threats. The week will also look at resources to help organizations strengthen their cyber resilience, including the National Institute of Standards and Technology Cybersecurity Framework.
The first step in protecting a business from cyber threats is to identify the “crown jewels” of your business. Those assets and systems that are critical to your business–would have difficulty operating if they were lost our compromised and/or could be a high value target for cybercriminals.
Always think broadly about critical assets. They could be data such as customer or employee data, systems such as ordering, inventory or scheduling and/or intellectual property.
Sometimes business think why would I be target? I am small and what I have may not be of value. According to Trend Micro, everything from cell phone numbers to email addresses has a value on the black market. Furthermore, cybercriminals target banking information in order to steal money directly.
Once a business understands the value of their data and technology, they can be better positioned to protect it from theft.
Identifying and creating an inventory of technology and data assets is the first step in the CyberSecure My Business Program. Businesses can create their own inventory lists or choose from the resources below.
Remember, inventory lists should be living documents and updated regularly. They also need to be stored securely with multiple copies, including backed up offsite.
Once you have identified your “crown jewels” and critical assets, build your cyber protections around these first as you create a trajectory forward to protect your entire businesses. Ultimately, your goal is to build a culture of cybersecurity that includes employees knowing how to protect themselves and the business and understanding the cyber risks as your business grow or adds new technologies or functions. Protections will include implementing cyber protections on core assets and implementing basic cyber hygiene practices across the business.
Now that you know the assets of your organization, Step 2 is to implement protections. While the what you need to do will be based on your assets, protections may include:
– Locking down logins: Using stronger authentication to protect access to accounts and ensure only those with permission can access them. This can also include enforcing strong passwords.
– Backing up data: putting in place a system–either in the cloud or via separate hard drive storage–that make electronic copies of the key information on a regular basis.
– Maintaining security of devices over time: This includes knowing that software patches and updates are done in a timely fashion.
– Limiting access to the data or the system only to those who require it.
Train Employees
Creating a culture of cybersecurity is an important element building a cybersecure business. That culture is created by establishing the cybersecurity practices you expect your employees to follow and training and reinforcing that training so you have confidence the practices are being followed. Employees should know:
– Why cybersecurity is important to protecting your customers, their colleagues and the business
– The basic practices that will keep them and the business cybersecure (see basic hygiene below)
– How to handle and protect personal information of customers and colleagues
– How and when to report cyber incidents
– Any specific use polices that your business has including what websites they can visit, the use of personal devices in the workplace, special practices for mobile or work at home employees, etc..
Basic Cyber Hygiene
Having everyone in the business follow these STOP. THINK. CONNECT.™ tips will help you make significant strides in protecting your business:
– Keeping a clean machine: Your company should have clear rules for what employees can install and keep on their work computers. Make sure they understand and abide by these rules. Unknown outside programs can open security vulnerabilities in your network. If they have any responsibility for making sure the devices use have updated software train them to implement those updates as quickly as possible.
– Following good password practices: A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”).
– Don’t reuse passwords: At a minimum, work and personal accounts should have separate passwords.
– Lock Down Logins: Whenever possible, implement stronger authentication sometimes referred to as multi-factor authentication of two-step verification.
– When in doubt, throw it out: Employees should know not to open suspicious links in email, tweets, posts, online ads, messages or attachments – even if they know the source. Employees should also be instructed about your company’s spam filters and how to use them to prevent unwanted, harmful email.
– Use WiFi wisely: Accessing unsecured WiFi is very risky. If you have employees who need WiFi access out of the office, use a virtual private network (VPN) or a personal hotspot.
– Backing up their work: Whether you set your employees’ computers to back up automatically or ask that they do it themselves, employees should be instructed on their role in protecting their work.
– Staying watchful and speaking up: Your employees should be encouraged to keep an eye out and say something if they notice strange happenings on their computer.
– Plug & scan: USBs and other external devices can be infected by viruses and malware. Use your security software to scan them.
Detection is all about knowing when something has gone wrong. We have fire alarms in our businesses and homes that alert us to problems. In cybersecurity, the faster you know about an incident, the quicker you can mitigate the impact and get back to normal operations.
Detection is about knowing the threats applicable to your business, having cybersecurity products or services that help monitor your networks, having well-trained employees who can spot things that aren’t right and report them and in some cases, even having your customers alert you when cybercriminals are trying to gain access to your system via customer credentials.
Knowing the Threats
Not all threats in cybersecurity equally impact your business. Some, like broad ransomware attacks are designed to infect any system anywhere that is vulnerable. In other cases, attacks may be motivated by the type of business your are in and the value of what you have. For example, if your are in the retail business cybercriminals may be looking to steal customer payment data or access a bank account. If you are in manufacturing, maybe stealing your intellectual property or disrupting your operations is the goal.
You don’t need to be a cybersecurity expert to ensure that your business is protected, but it is critical that you understand the online threats to your company’s network. Awareness of key threats will enable you to employ practices and behaviors that limit your company’s risk.
Below is a list, and by no means all inclusive, of some common threats.
Ransomware
Viruses and spyware can enter your computer through emails, downloads and clicking on malicious links.
– Viruses can enable hackers to steal valuable corporate, customer or employee information, distribute spam, delete files or crash your entire computer system.
– Spyware programs allow hackers to monitor your online activity and steal passwords, records and other valuable data.
Business Email Compromise
Via email to business leaders of others encouraging a payment of, for example, an overdue invoice that is actually a fake invoice designed to generate a payment to a cybercriminal.
Phishing
Phishing attacks usually use fraudulent emails to trick people into sharing information they shouldn’t. For consumers it could be personal data, such as Social Security numbers, or financial information (e.g., credit card account numbers, usernames and passwords). In your business, it could be getting employees to share network credentials or to infect your system by clicking on links or opening infected documents.
How Phishers Attack
– Fraudulent emails: Phishers trick consumers and employees by sending them emails that appear to be from reputable organizations, such as a bank, retailer or credit card company. These emails include Web links that take consumers to a fake Website where they enter their personal information.
– Posts on social networks: Phishers use fraudulent posts (sometimes by hacking the accounts and distributing messages to groups of friends) to get people to click on links they shouldn’t.
– Text messages: Like social network posts, text messages can include links to dangerous sites and infect mobile devices.
– Spoofing your brand: using your good name and brand to send emails to your customers that look like the come from your business and encouraging clicking on a link or downloading a document.
– Spear phishing: targeting you business and employees directly using email and other messages that look like they come from a customer or another business you do business with (like a vendor) to try and specifically compromise your business
Industry and Other Specific Threat Information
Depending on your business, participating in a threat sharing service maybe an important step. More and more industries are creating specific threat sharing services for their community, some threat sharing collaboratives are emerging by geography and there is an emerging threat sharing industry offering subscriptions to threat information. Some services deliver this information via email and some have portals to view information. Explore with any trade associations what information or recommendations they have.
Services
In some cases like ransomware, detection of an incident is easy as the cybercriminals will make their presence clearly known. Well-trained employees will let you know if they are receiving phishing of suspicious communications. Basic security services such as security software will inform you of some threats like potential phishing websites or scan attachments and notify of any threats. Some strong authentication tools will inform you when they detect a new user trying access your system. However, many attempts to compromise your business will be by their nature attempts to gain access without being noticed.
You may want to consider improving your protections via using some kind of network monitoring service that helps to detect incidents. The availability of cybersecurity tools and services is growing. You should work with your IT department and/or vendors to discuss what kinds of services and tools would best match your business.
Even when we take all the precautions we can, incidents can still happen. Being prepared to respond in a thoughtful and comprehensive manner will reduce risks to your business and send a positive signal to your customers and employees. Therefore, planning for a response is critical.
A data breach where information is lost can also come with some legal obligations in your state depending on the state(s) in which you operate and the size of the data loss. In some industries, such as healthcare you may subject to other laws and regulations regarding data loss.
It is likely that any data breach or cyber incident will require participation from a number of your key employees, consultants or vendors including legal, public relations/communications and IT.
The good news is preparing to respond to a cyber incident is in not unlike preparing for other events that could impact your business like natural or manmade disasters. Building your cyber incident response can tap your other operational knowledge and experience.
You will need to be ready to:
– Resolve the problem (e.g., fix your network, restore data)
– Identify what’s been lost and who has been impacted
– Continue operations while problems are fixed
– Communicate with stakeholders (e.g., customers, employees and perhaps the general public)
– Comply with applicable laws and reporting
– Report to appropriate agencies
Resolve the Problem
In many cases, you will know that an incident has taken place before you know how it happened. You may find out that records have been lost or that your systems are no longer working. One of your first efforts will be to resolve the initial problem and make sure that the systems or issues are fixed so the hack no longer continues.
Identify What Has Been Lost
You can’t fully evaluate what to do until you know what’s been lost and the impact of that loss. You have broad reaching concerns about what the impact will be overtime. However, addressing immediate needs should be the first priority. For example, if cybercriminals have stolen money from a company bank account, notifying the bank, changing credentials (e.g., passwords) and reviewing the accounts for other losses may be the first order of business. Being thorough is important. It is not uncommon to think you know what’s been lost only to find later that more information has been lost and the number of people impacted is greater than first estimated.
Continue Operations
Ideally, you want to respond a cyber incident by mitigating the impact on your ability to keep the business up and running. That’s why planning is so important. You need to understand how you would access some key information if your systems were down. Based on your business type, some of these could apply:
– Order taking
– Customer and employee communication
– Electronic or other payments
– Inventory tracking
– Dispatching employees to jobs and track progress
– Customer data allowing you to service their needs
– Appointment calendars
Communicate
How you communicate after a cyber incident will leave a lasting impression. Do a good job, and people will remember. Do a bad job, and people will REALLY remember. How, when and what to communicate is done on a case-by-case basis. Some companies have waited until they know everything they can, and others have chosen to begin notifying people immediately. A lot will depend on who is impacted and how it might change their interaction with your business. For example, if your online ordering is down and you need to switch to a call system that will need to be communicated that ASAP. Alternatively, if you want to be able to reach current and former customers who may be impacted and provide as much information as possible about what happened and how you will be helping them, you might need a bit of time.
Decisions about communications should be made with PR/communications and legal expertise to ensure your messaging is appropriate and what you say complies with any legal requirements.
Reporting
In consultation with your legal advisors, IT and communications teams, you will want to decide if and to whom you will report a cyber incident. Many businesses do routinely report events to law enforcement for a few reasons: if you were attacked it’s likely others may be subject to the same attack and information from yours might help prevent others and/or evidence from your attack could help the investigation and prosecution of cybercriminals. Federal law enforcement–the FBI and Secret Service (financial crimes) along with other agencies gather incident reports. Check out this guide for agency contacts and to ensure you report to the appropriate agency.
Comply with Applicable Laws
Nearly every state has a data breach notification law. Note that the law relating to your business is the one in the state where your customer resides not your business home. You should discuss requirements based on the state(s) you operate in with legal counsel in advance of a breach or incident. Before a breach, know your responsibilities, the time frames under which you need to act and what you might need in place, such as mailed notifications or credit monitoring services for customers.
The final step of making your business more cybersecure is the recovery efforts that follow response to a cyber incident. Like the response step, recovery requires planning. The goal of recovery is to move from the immediate aftermath of a cyber incident to full restoration of normal systems and operations and the ongoing efforts at mitigation and continuous improvement over time.
Some examples of how recovery might work:
– You had a ransomware infection. You discover the cause was the system running an older, unpatched version of an operating system and you bring that system up to date in response and get the system working again. During the recovery step you would implement more defined procedures for ensuring that all systems are updated in a timely fashion and tracking the current software state in each critical system.
– Your system was compromised and customer data was lost when an employee lost their password. You respond to your customers following any state laws and with the advice of communications and legal counsel. Moving forward, you look to implement stronger authentication or better password practices. You start an employee training program on phishing and protecting credentials. Furthermore, you establish and train on policies about what websites and apps employees are allowed to use at work.
– Your business falls victim to the business email compromise and a payment was made to a cybercriminal through the scam (usually a request for immediate payment on invoice). You respond by working with your bank to see if the payment can be returned or stopped. During recovery, work with your bank to see what other controls might be available on accounts before payments are made, train employees on phishing and email security and subscribe to information feed on threat information appropriate to the your sector to increase awareness of the threat environment and share with appropriate staff.
Recovery is not just about fixing the causes and preventing the recurrence of a single incident. It’s about building out your cybersecurity posture across the whole organization, including increasing the focus on planning for future events such as:
– Holding an cyber exercise (a simulated attack to evolve your response).
– Reviewing staff’s capabilities and investing in staff development in cybersecurity including additional training, education or certifications.
– Having a new staff onboarding process that includes cybersecurity training and demonstrated knowledge of key network and other workplace policies.
– Developing regular metrics and communications of metrics to key staff about the status of your businesses cybersecurity.
– Continuously monitor the cyber health of your organization.
– Implementing a risk review of new technologies you may incorporate into your business and plans for maintaining the cybersecurity of the new technology over time.
Taking these steps will help you with the other steps in the cybersecurity framework going forward and may help mitigate the losses during a future incident.