In today’s ever changing technology world you constantly hear about cyber security and data breaches. It leads many small and medium business owners wondering what they can even do. You might be sitting there asking yourself, “If the Russians are out here hacking away, what chance do I have of protecting myself?” This is no easy task. Cyber security is multifaceted and ever evolving. Mix in an ENORMOUS shortage of security professionals and it just feels like, “why try?”.
I want to break it down into 4 sections of what we talk about for reducing risk to your business. Make no mistake, it’s impossible to eliminate risk. Some of these principals can be applied outside of cyber security, but we are going to focus on how you can minimize the security risks to your organization.
The 4 areas we focus on when talking to any client are:
Avoid – What could you do or change to avoid risk?
Reduce – What services and policies can you put in place to reduce your cyber risk? Backup, Security Policies, Security software, etc.
Transfer – Cyber Insurance to transfer all the risk that you can’t avoid or reduce.
Accept – Any risk that hasn’t been dealt with either needs to be addresses or accepted.
We find far too many people are accepting too much risk. It’s easy to minimize it, you just need to make sure you spend the time and effort to find out what you can Avoid, Reduce, Transfer and Accept.
The first line in the sand is to find out what risks you can just avoid. Most of the ‘Avoid’ section is based on polices and end user behavior. For example, don’t keep credit card numbers in any way, shape or form. Get a payment portal for your end users to use, you should never have written credit card numbers. Ever.
Since I’m a list kind of guy, lets get to it!
- What are your company polices on items such as:
- BYOD (Bring your own device), have you written strong polices that make sure anyone who connects to your company network has proper security in place?
- What Data do you save, and how do you save it (i.e. credit card data or PII)? Is it encrypted?
- Who has access to what data? Are there policies in place to restrict people to the smallest set of data they need to work easily?
- How do employees work remotely? What security is in place?
- How do you ensure employees that leave the company are locked out of all the systems? You would be AMAZED at what we find here. We recently took over a customer from a competitor and a password that was setup for us 2 years prior to do some tasks was still working!
- How about wire transfers? Bad guys love to target wire transfers, so make sure you have a policy in place on how they can be done. And if you don’t ever do them, let the bank know to NOT let anyone wire money from your account.
- Don’t use public Wi-Fi
- Don’t do banking on insecure devices
- What’s your hiring process look like? Do you have ways to avoid risk such as calling references and doing background checks?
The list can go on and on. What is important is to take some time, sit down and think about your business, your process and what you do on a day to day basis. Is there something you can change or stop doing to avoid risk? What employee behaviors do you tolerate that are introducing risk? Walk around your office and look for passwords written down, look under keyboards and on monitors. You will be amazed how much risk is staring you in the face!
Your Challenge for today is to make a list of items that introduce risk that you can just stop doing. Then look at what policies and procedures you can create to avoid risk and implement them. Change is hard, but risk sucks more.
Life is fraught with risk and we typically work to reduce that risk as much as possible. When you started your business or made that recent job change, did you do it on a whim or did you put an enormous amount of thought and work into it? You looked at the risks and how to minimize that risk. People work to minimize operational and cash risk, but then just wander out into the internet skipping along without a care in the world! Maybe you bought a Mac and said ‘I don’t need anti-virus software, Macs are unhackable’ (they aren’t)! Or you went and purchase all this cloud software without ever thinking about the security side of things. So, how do you reduce your cyber security risk? Let’s get to it:
I hate to say this, but employees are your biggest risk. It’s not that they really want to harm your company, it’s just they trust everyone and everything by nature. Did you know that 93% of hacks these days start with email! EMAIL! One of the best things you can do is invest in training for your employees. You should do regular cyber security training and Phishing Attack Simulation. These don’t have to be complicated, but it does need to be regular. We offer a free weekly tech tips email that is packed full of great tech and security tips as well as Phishing simulation training if you need that. Sign up here if you are so inclined: https://www.bazarsolutions.com/cyber-security-tip-of-the-week/
Layers of Security
Just having Anti Virus isn’t real security. You need layers. I can hack around one or two, maybe 3 or 4, but as you layer on security it gets harder and harder to hack and stay in your network. So the bad guys give up and move on to easier targets because there are so many. You should have at a minimum:
- Commercial Firewall – get rid of the junk you bought at Amazon or Best Buy. Find a firewall that has built in security features like Intrusion Prevention and Anti-Malware.
- Content Filtering – Many commercial routers can include this, but we suggest going with a 3rd party as well. The product we use has an agent we install on all computers so the content filtering follows the users home or on the road. Make sure you are blocking anything that creates risk. Dirty pictures could be a ‘hostile work environment’ lawsuit and Malware / Botnets / Hacking sites are pretty self explanatory why they are bad.
- Endpoint security – Don’t just settle for the cheapest A/V you can find. You need took look for Next Gen features like Machine Learning and Behavior based scanning. Ransomware has gotten good at getting around many traditional anti-virus vendors, but behavior based scanners will shut them down quickly.
- Network Security – How are you protecting your server? If you have really critical data we recommend Security Event and Information Monitoring (SEIM). This coupled with new advanced threat hunting services makes it hard for hackers to stay in your systems. The current data says that it takes on average over 190 days for someone to detect a breach. With proper monitoring in place you can cut that down to days or minutes. Network security also encompasses VLAN (virtual networks) to segment data within your own network. Basically we tell Voice to be in one virtual network and general network traffic to be in another. You can then segment R&D, servers, IoT devices, etc and control access between networks easily. It helps to minimize the risk if someone does get into your network.
- Dark Web Monitoring – If you have passwords for sale on the internet it’s basically equivalent to handing the keys to the front door to a total stranger. “Please don’t steal my stuff”. By monitoring the Dark web for stolen credentials you can stay one step ahead and change your passwords before they are used to access your data.
- Two Factor – 2FA as they call it for short, is when you have to get an additional code sent via email, text or an app to log into your applications. We recommend you turn this on anywhere and everywhere that it is supported. Amazon, E-Bay, banking, your email, etc. You can also find many 3rd party companies that will sell 2FA services for apps that might not natively support it.
Policy and Procedures
This is one of the boring sections, unless you love policy. You probably have a policy for who gets keys to your building, but never stopped to think about who has access to your many of your computer systems and passwords. How many of you have a password taped to your monitor right now? Maybe under the keyboard because you are ‘sneaky’. Have you ever given a password to a co-worker or maybe a vendor because it was easier than creating them one? That’s how Target got hacked – someone stole credentials to a 3rd party HVAC company and used those to gain access to the Target network. You should create policy for:
- Passwords – how long, how to store them, when to change them, and not to share them. Make sure you use the new research that says changing them often is actually worse, go for long and change it less frequently. We recommend people use 4 unrelated words for their password. Put yourself in someplace you can pull up in your head (your living room for example) and then pick 4 random objects. Bam, new password. https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
- Data Access – Most people will make sure financials are secured, but then don’t put any thought into the rest of their data. What about HIPAA? Do you need to restrict PII data? Do you run a manufacturing plant and hold other companies secrets or IP? That data should be restricted to the smallest group that needs it to complete their job functions.
- Acceptable Internet Use – Can you do whatever you want on your company network and computers? Most places don’t have restrictions in place but should. We run dark web searches all the time and find people using company email addresses for non-work related sites. Some are for the kids school and some hacked passwords we find are for hookup and less reputable sites. You don’t want your company associated with those, plus it’s a bigger risk exposure if employees are using work email for personal accounts. Tell them they can’t. Create a policy that says what they can do with company assets and what they can’t do. Make sure you include language that limits what sites they can go to (work related) because the last you probably want is getting a virus from a porn site.
- Remote Access – Make sure you have a policy on how people can access cloud apps or remotely access your company network. Can they use home computers? Do those home computers need to have A/V on them? What type? Can they use a public computer? (NO THEY CAN’T!) There are a ton of questions to think through on how you want to allow remote access and keep your data secure.
The list for policies and ways to reduce risk can go on and on. It’s imperative you sit down and think through your business and we recommend that you get a trusted IT professional involved as well. Don’t go ask your buddy that’s “good with computers”, you need to have the services of a REAL IT company. Someone that has experts on staff and spends lots of time working to protect other peoples data. Ask them about their security polices, do they do 2-factor, how do they train their staff and what layers of security do they have? Just make sure your not sticking your head in the sand and saying, “it won’t happen to me! I’m to small for anyone to want to hack!”
If you run or manage a business, chances are you think regularly about risk management. You might not think of that exact wording, but you are thinking of ways to protect yourself, your business and your customers, etc. Nobody wants to be a news story about how they had a data breach and lost customer data. Did you know that in 2018 the average cost PER lost customer record was $150 and in the healthcare industry it was over $400. That’s the cost to recover systems, public relations, lost business and all the other repercussions of a data breach. How many customer records do you have and what would your costs be? They add up pretty quick.
People don’t think twice about purchasing car insurance, home insurance, business errors and omissions insurance, yet many companies today don’t carry Cyber Liability insurance. With today’s evolving threat landscape, this is a must have for pretty much any business. If you collect any kind of personal data, and just about everyone does these days (names, emails, addresses, phone numbers), then you need to pay attention to your legal requirements to protect that data. Data breach laws now encompass much more than just medical information. Do you know what you state’s laws are around privacy and data breaches? You need to look it up and make sure you’re in compliance, because otherwise you are accepting a huge amount of risk.
A good cyber insurance policy will allow you to transfer risk to the insurance agency. It doesn’t mean you can abdicate responsibility for data protection, because you still have to do everything reasonable to reduce and avoid cyber risk. The policy itself will have guidelines around it to make sure you aren’t just dumping risk on the insurance company, because they are experts at reducing and avoiding risk. That’s why it’s so critical to do all you can to reduce and avoid risk yourself.
I’m not an insurance agent and you should call your local agent to talk about cyber risk as soon as you can. If your ‘guy’ isn’t sure or isn’t an expert, I would shop around. Cyber Insurance is pretty new and not all agents are experts. The last thing you want to do is think you are covered to find out your not. Make sure they have coverage for ransomware or extortion payments, the PR services you will need after a breach and business interruption coverage. If you have a breach, will they cover the regulatory fines that might accompany it? Make sure you follow all the guidelines within the policy. I even recommend you work with your IT provider when shopping for insurance to make sure you are in compliance with the policy and they might have some good recommendations as well. The last thing you want to do is file a claim in the midst of a breach to have the insurance company reject your claim because you didn’t implement some part of the policy (i.e. a password policy or disk encryption).
This part is easy, if you don’t Avoid, Reduce or Transfer your risk, you must accept it. It should be your goal to accept as little risk as possible by having good security practices, policies and insurance in place. If you do a good job on the first 3 sections, then you should have minimal risk to accept. Just remember, if you do a bad job with Avoid, Reduce and Transfer, then you might get put out of business. Customers are starting to look at how their data is used and protected and soon will demand to know they are protected to a reasonable extent. Don’t stick your head in the sand and ignore cybersecurity risk, it will come back to bite you.
This post was brought to you by one of our guest authors!
CEO | Entrepreneur | Cyber Security Speaker and Evangelist
Mike has spent most of his life in technology. He was the guy that people in college went to for computer help, and this was at a school of nerds (The Colorado School of Mines). While in college Mike got his degree in mechanical engineering and took graduate classes in International Political Economy. After graduation, he moved back to Texas and looked for ‘fun’ jobs, of which he couldn’t find any so he started an IT company. After a few years as a sole proprietor and just after he got married he took a job deploying wireless networks in large open pit mines around the US and Canada. This gave insight into what many Fortune 500 companies do for IT services in their own companies and after 4 years of traveling and working with large mining companies he moved back to Lubbock and started Bazar Solutions, Inc. in December of 2009.