As you already know, sensitive data is what drives your business, making loss of that data one of the largest risks your organization faces today. Adding to this vulnerability are the rising frequency of attacks, growing costs of remediation, and lengthening time-to-response. Limited visibility into both the targets of attacks as well as where and how sensitive data is stored only compounds the problem.
On a normal day, a corporate network can experience over one million attempted cyber-attacks. Response times are growing along with costs, frequency of events, and the number of alerting tools your team must manage. Now you can combat the rising threat and costs of cyber-attacks with the real-time incident response solution used by the U.S. Department of the Treasury, Bank of the West, Polo Ralph Lauren Corporation, and many other leading companies, law-enforcement and government agencies.
Attack Frequency90% of businesses report at least one breach over 12 months
Remediation Costs report at least one breach over 12 months 42% higher than 2011
Response Times Average response times in 2012:
External Attack: 24 days
Internal Malfeasance: 50 days
The critical questions for information security teams today are:
- How can you respond to an incident without the ability to do real-time threat analysis?
- How can you fully protect your sensitive data without a risk-assessment inventory?
What can you do to protect your business?
Discover and record a full inventory of personally identifiable information (PII), intellectual property (IP), and payment card industry (PCI) data in order to scope and measure its associated risk.
Cyber Risk Assessment and Management
Proper Cybersecurity Risk Management is more than a technology solution. A company, led by its CEO, must integrate cyber risk management into day-to-day operations. Additionally, a company must be prepared to respond to the inevitable cyber incident, restore normal operations, and ensure that company assets and the company’s reputation are protected.
- Understand what information you need to protect: identify the corporate “crown jewels.”
The first step in assessing an organization’s cyber risk is to understand what company assets you are trying to protect and why. Ask
yourself, what are your most critical assets? Identify your most important information, assets, and legally protected information.
- Identify Threats to Crown Jewels
- How do you store the information?
- Who has access to the information?
- How do you protect your data?
- What steps are you taking to secure your computers, network, email and other tools?
- Forecast the consequences of a successful attack
If you have an information technology staff or Chief Information Security Officer, ask them to walk you through the above analysis. Ask them
to quantify the risk. Also ask them to explain what could happen as a result of a fully successful cyberattack against your company.
For more information please see, NCSA – Assess Your Risk
Cyber Risk Mitigation – Implement a Cybersecurity Plan
Most experts recommend that businesses have a strategic approach to cybersecurity.
The Federal Communications Commission created the Small Biz Cyber Planner to help businesses evaluate their current cybersecurity posture and create a plan.
A comprehensive cybersecurity plan needs to focus on three key areas:
- Prevention: Solutions, policies and procedures need to be put in place to reduce the risk of attacks.
- Resolution: In the event of a computer security breach, plans and procedures need to be in place to determine the resources that will be used to remedy a threat.
- Restitution: Companies need to be prepared to address the repercussions of a security threat with their employees and customers to ensure that any loss of trust or business is minimal and short-lived.
For more information:
- National Cyber Security Alliance. Implement A Cybersecurity Plan.
- Council on CyberSecurity. Critical Controls for Effective Cyber Defense.
- Mark Stollery. “Cyber security – the best weapon remains good information security hygiene.” Computer Weekly. March 2013.
- Manage your network boundaries
- Manage access and permission levels
- Consider whitelists or blacklists for external traffic
- Manage network activity proactively.
Who Can Help
Your best sources of guidance are your Internet Service Provider (ISP) and software providers. Many ISPs have services devoted to their business customers. Explore what’s available from them and how they can help. The provider of your security and other software can also be of assistance and may have special services for small businesses.
- AllClear ID Incident Response Workbook
- FBI InfraGard Program
- Federal Trade Commission (FTC): Bureau of Consumer Protection Business Center
- FEMA: Business Emergency Plan
- Homeland Security U.S. Computer Emergency Readiness Team (US-CERT) Cyber Security Tips
- Microsoft Business Hub
- On Guard Online: Small Business Resources
- National Institute of Standards and Technology (NIST): Computer Security Resource Center
- National Institute of Standards and Technology (NIST): Small Business Corner
- U.S. Chamber of Commerce: Internet Security Essentials for Small Business
Cyber Insurance – Risk Transfer
The Cyber Insurance Market has evolved significantly since the first policies were introduced in the late 1990’s. Today, there are over 25 carriers in the market providing up to $300M in limits. Coverage extensions have developed to include both the third party liability and first party cost and expenses associated with a data breach or cyberattack. Insuring Agreements vary by insurance company. Options may include:
- Security & Privacy Liability – defense and indemnity for failure to keep information private, failure of third-party affiliates to keep information private, and failure of systems to prevent a network security failure (including transmission of a virus). Information includes corporate confidential information (CCI), personally identifiable information (PII) or protected health information (PHI), and can be in electronic or tangible form.
- Crisis Management – expenses incurred by the insured stemming from a security failure. Covered expenses include costs to respond to adverse publicity, comply with regulatory requirements, and voluntarily and proactively provide notification and credit monitoring services to affected parties.
- Regulatory Proceedings – covers defense of a proceeding or action brought by a privacy regulator (Federal Trade Commission, Health Insurance Portability and Accountability Act (HIPAA), State Attorney General) or fines for breach of a privacy regulation. Limited coverage for “PCI” fines is available.
- Business Interruption – costs incurred by the insured stemming from a material business interruption directly caused by a security failure.
- Data Recovery – costs incurred by the insured to restore, recreate or recollect electronic data stored on the insured’s computer system that becomes corrupted or destroyed due to a computer attack; including disaster recovery and computer forensic investigation services.
- Cyber Extortion – costs incurred, and extortion monies paid, due to a threat related to the interruption of the insured’s computer system, or the release or destruction of private information.
With the increasing frequency and costs associated with cyberattacks, your company’s risk management strategy should include cyber insurance to help mitigate financial loss and protect your company’s balance sheet.
For more information:
- McGuire Woods. Buyer’s Guide to Cyber Insurance. October 2013.
Protect Your Customers
Trust is an essential element of customer relationships. When it comes to Internet security, your customers trust you to protect the personal information they share with you.
You would never knowingly put them at risk, but lax computer security practices can do just that — jeopardize your customers’ sensitive information and expose them to threats.
If your company has a website, communicates with customers via email, or stores customer information in an electronic database, you could be putting them at risk if you aren’t taking the right precautions.
Following a few simple online safety practices can protect you from incurring expensive and dangerous data breaches, and give your customers the peace of mind they deserve.
Gain Their Trust
The following information practices will help safeguard your customers’ data and help them feel confident about doing business with you online.
Know what you have: You should be aware of all the personal information you have about your customers, where you’re storing it, how you are using it, who has access to it and how you protect it.
Keep what you need and delete what you don’t: While it’s tempting to keep information for future use, the less you collect and store, the less opportunity there is for something to go wrong.
Protect what they give you: If you’re holding onto information about your customers, you need to keep it secure.
Keeping your customers safe requires your own computer systems to be fully protected. The best policies in the world won’t protect your customers if your network and resources are at risks for preventable attacks.
Protecting your network and systems requires a lot of the same steps as protecting a single computer, only on a larger scale.
Keep a clean machine: Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.
Automate software updates: Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that’s an available option
Scan all new devices: Be sure to scan all USB and other devices before they are attached to the network.
Use a firewall: A good firewall keeps criminals out and sensitive data in.
Use spam filters. Spam can carry malicious software and phishing scams, some aimed directly at businesses. A good spam filter will block most of it and will make your email system safer and easier to use.
Show your commitment to security: Participate in activities such as National Cyber Security Awareness Month and Data Privacy Day to demonstrate your businesses’ commitment to security.
Train Your Employees
Protecting your company online begins with ensuring your employees are prepared to assist in keeping your computers and networks safe.
The best security technology in the world can’t help you unless employees understand their roles and responsibilities in safeguarding sensitive data and protecting company resources. This will involve putting practices and policies in place that promote security and training employees to be able to identify and avoid risks.
Talk to Your Employees About
- Keeping a clean machine: Your company should have clear rules for what employees can install and keep on their work computers. Make sure they understand and abide by these rules. Unknown outside programs can open security vulnerabilities in your network.
- Following good password practices: Making passwords long and strong, with a mix of uppercase and lowercase letters, numbers and symbols, along with changing them routinely and keeping them private are the easiest and most effective steps your employees can take to protect your data.
- When in doubt, throw it out: Employees should know not to open suspicious links in email, tweets, posts, online ads, messages or attachments – even if they know the source. Employees should also be instructed about your company’s spam filters and how to use them to prevent unwanted, harmful email.
- Backing up their work: Whether you set your employees’ computers to backup automatically or ask that they do it themselves, employees should be instructed on their role in protecting their work.
- Staying watchful and speaking up: Your employees should be encouraged to keep an eye out and say something if they notice strange happenings on their computer.
Training Your Employees to detect cyber threats
Training employees is a critical element of security. They need to understand the value of protecting customer and colleague information and their role in keeping it safe. They also need a basic grounding in other risks and how to make good judgments online.
Most importantly, they need to know the policies and practices you expect them to follow in the workplace regarding Internet safety.
- Microsoft Internet Safety for Enterprise & Organizations Toolkit
- On Guard Online Small Business Resources: Resources for Training Employees
- Sophos Essential Firewall Edition
- Sophos IT Security Training Tools
- Symantec Small & Medium Business Information Center
- Trend Micro: Resources for Small Business
- US-CERT: Protect Your Workplace Campaign