In the past it was very unlikely to hear stories about the average American small business being a target for a sophisticated cyber attack. For obvious reasons; they have fewer financial resources and relatively unknown brand recognition. Fast-forward to 2016 and you’ll find that these assumptions have been flipped upside down.
The dam has broken for small companies when it comes to security. Smaller companies have become more and more attractive to hackers because they have weaker online security. Smaller companies, like most, are conducting almost all of their business online as well. Particularly, by using cloud services that don’t require encryption. This is every hackers dream. Unlimited information behind an easily-picked, locked door without a deadbolt. Even worse, say your clients are Fortune 500 companies. Your hacker just hit the jackpot.
Although the public typically only hears about cyber attacks against high-profile companies, banks, and government websites, small businesses make prime targets for cyber-criminals, competitors, and disgruntled parties.
Unfortunately due to their lack of knowledge and resources, small businesses have the least-protected websites, accounts, and network systems making cyber attacks a walk in the park.
So what can small businesses do to further their protection? We asked two rock-stars from ABG Capital’s IT and Development Departments for some answers. We spoke with Chief Information Officer Adam Scott and Director of Development Jerry Eddy to discuss some of the best practices and tools to utilize for optimal security in your small business.
Right now, what is the biggest security threat to a small business such as ABG Capital?
Jerry: The biggest threat to small business is hackers looking for opportunities to obtain confidential information. Hackers will try to exploit any perceived weakness in the network as well as trying to obtain information via social engineering. They use social media sites and even contact employees and try to learn more about the staff and the company. By using that information, they attempt to gain access to confidential information through misrepresentation and trickery. It is important for the business to make their employees aware of this type of hacking, so they are able to defend it as much as possible.
Beyond anti-malware and anti-virus protection; where should a small business begin when implementing security programs to protect against these threats?
Jerry: They need to examine each step of every procedure that has something to do with a customers’ confidential information such as credit card and social security numbers. By examining each step, they need to make sure that they are doing everything possible to protect the confidential information through both technical and human means.
Are these services/tools affordable?
Jerry: One thing that can be done is use the controls of ISO/IEC 27002. It is a popular, internationally-recognized standard of good practice for information security.
Governance, risk management, and information security management are broad topics with impact throughout the organization. ISO/IEC 27002, is relevant to all types of organizations including commercial enterprises of all sizes, not-for-profits, charities, and government departments. The security risk and control requirements provide a common framework that any company can adopt, follow, and implement. It also addresses the need of the information security risks relating to their employees as well as contractors, consultants, and the external suppliers of information services.
The standard is concerned with information security, meaning the security of all forms of information (e.g. computer data, documentation, knowledge and intellectual property). It provides controls that can be measured and that outline a comprehensive review of things that every company should evaluate about information security.
Is two-factor authentication for an employee’s computer/emails/etc. a safe bet?
Jerry: It helps by adding authentication to the authorization process of logging in. When you login, you now need two independent pieces of information, so therefore, if I have your username and password, I still need something tangible such as your smartphone or key fob to further authenticate that the person logging in fact, is the actual person.
Hypothetically speaking, how would a company best protect itself if a cloud provider we use went up in smoke?
Jerry: With any information that you store on a cloud provider, you will want to see if they offer the ability to back up to a separate site and/or provider. Also try and use cloud providers that have a good reputation or that you have heard of before or have been recommended by others to minimize the potential for a loss of cloud provider.
What should a small business do to educate its employees regarding security best practices?
Adam: Make sure to use secure, complex passwords. Learn to protect your information, don’t leave PII (Personally Identifiable Information) laying around. Locking their computers when they leave.
Should companies develop a security policy that is ingrained into company culture?
Jerry: Yes, the company needs to get buy-in from every employee to make sure that every effort is being taken to protect any confidential information that the company possesses. When you engage employees in the creation, development and implementation of security policies you get better security.
Adam: Yes, you want to make your security polices and training as easy to remember as possible. Regular security emails to the staff is a good start. Then move on to videos or Lunch and Learns and encourage employees to attend.
How is ABG Capital’s policy tied to its culture?
Adam: Our C.O.R.E Values state it-
We Cultivate our employees by encouraging them to learn.
We Overcome the security hurdles that face us to improve data security.
We Respect our staff, and they give us the reliability that they are keeping our systems and data safe.
We Evolve by adapting to changing network threats to protect us against data losses.
Do you have an incident response plan, and do you practice it?
Adam: Yes, we have security meetings on a weekly basis where we discuss existing security issues, plan a path to correct them, and learn about new threats we need to protect against. We developed these plans and test them internally and externally using outside vendors for vulnerability and penetration tests.
Lastly, what security threat scares you the most? Any additional advice for preparation?
Adam: Data loss from a data breach would be #1. Having your systems crash is an easy fix; you repair the hardware, restore the data, and you’re up and running. But how do you get back all of your customers’ data once it’s out the on the web for anyone to see? We plan and test on a regular basis to prevent these losses. Intrusion detection systems, dual factor authentication, and employee training are just the start. You need to train your teams and work with the experts in the field to constantly prepare for the new threat coming down the road. Keeping up with the latest security blogs is a good start, but putting together an information security committee is probably the best first plan of action. Get the best minds together in your company, then you can bring together the skills of the best people to plan and protect your data.
Now ask yourself;
Is your small business ready for the unknown? Applying the insight given to us by Jerry and Adam is a great first step. However, it doesn’t stop there. Be proactive and do your research. Remember that educating your employees about security and compliance starts offline. As stated by author and security privacy specialist Bruce Schneier; “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” They want what you’ve got. Don’t give it to them.