Don't Make the Same Mistake As the NSA
I was recently interviewed by Voice of America to discuss the growing threats to businesses by cyber attacks and I wanted to share the interviews and provide you with some important information for your business on how to guard against cyber threats.
To see the video clips of my interviews, click on the following:
Experts Say More Research Needed to Foil Cyber Criminals
Tips to Minimize Your Risks From Cybercrime
Cyber threats such as hacking, malware, viruses and---yes, by people leaving with data on a flash drive, in hand --are a problem that every business owner must seek to combat. The options for dealing with such threats are numerous and can often overwhelm a non-technical business owner. When I meet with business owners, I typically explain the process of tackling the threats as the approach that has been used since medieval times-- a layered defense to protect your castle from threats, both external and internal.
In medieval times, a castle was built with a moat, drawbridge, and portcullis - each designed with features to repel a specific type of attack. Inside of those outer protective layers, there is an inner wall and a secure keep to be used as the last lines of defense. In addition, castle's lord used another tactic which was to move the treasure out of the castle and to another secure site (if an attack was expected) - this gave the castle the resources to quickly rebuild after an attack. Finally, as a general measure of protection, during all times, all areas inside the castle that were sensitive had access restricted to just those who had a reason to be there.
In order to protect your business, your clients and the livelihood of your employees against cyber threats, business owners need to employ the same layered defense.
What I have tried to offer below are some reasonably priced and necessary measures that business owners can take that should not break the bank. While it will help to improve your security, it is not a comprehensive list, so doesn't address all threats or at risk areas.
Keep them outside the gates:
- Clean emails using a hosted spam and antivirus filter.
- Scan all network traffic coming in and out of the business using a UTM (Unified Threat Management) appliance. This replaces the old firewall/router usually provided free by your internet service provider.
Keep things safe if they do get inside:
- Update all computers weekly with the latest software patches, as most cyber attacks take advantage of unpatched security holes.
- Update or install antivirus and anti-malware software.
- Each employee should only have access to the information necessary for them to do their job. Not only to limit the damage that a virus could do, but also to keep information confidential. Many small businesses only have two network shares - HR and Everything Else. If this is you, don't feel bad --the NSA apparently only recently learned that lesson.
- Use strong passwords on everything possible and change the default passwords on hardware such as routers, wireless access points and printers (so this means, no birthdays, kids names or list of passwords on your desk).
Plan for recovery and rebuilding should the worst occur:
- Every desktop and network share should have a secure encrypted online backup running. Schedule it so that no user action is needed. The general rule is that if a backup requires a person to run, it will be forgotten or skipped. Almost as important as running a daily backup is testing that backup regularly. We've been brought into many business because they have had some type of data disaster - only to find that their backups don't work.
- Use a good hosted exchange provider rather than the old POP3 standard from 1988 that is provided free by most internet service providers or web hosting companies. It provides great recoverability of email with increased flow and function, a vital aspect of almost every business.
- A good hosted email filter has the added benefit of caching your email allowing your business to continue if the mail server has a problem.
Unique to every business, there is a fine balance between security, cost, usability and acceptable risk ---and for this reason no cookie-cutter approach will work.
What should you do now?
Put strong passwords in place. If you need help with creating these, there is a guide available for download here. COST: free
Get a security assessment of your current status. Without this baseline data you cannot make an informed decision.
COST: These vary from $200 to $4000 depending upon the size and depth of the investigation.