Evidence that criminals are targeting the computer systems of small businesses continues to mount. The Wall Street Journal recently drew attention to the way cybercriminals are sniffing out vulnerable firms. The article highlighted the fact that about 72% of the 855 data breaches world-wide last year that were analyzed in Verizon's Data Breach Investigation Report were at companies with 100 or fewer employees.
Many small businesses don’t realize that, regardless of location, they can be the target of cyber-attacks such as the one ESET researchers recently discovered in Peru (check out the ESET white paper in PDF form here). In this case the bad guys deployed technology that could silently steal AutoCAD drawings, files that often encapsulate the intellectual output of small firms like architects and engineers.
There is also mounting evidence that small law firms working on big cases are increasingly being targeted by parties with an interest in a specific case. According to Trent Teyema, FBI assistant special agent in charge of cybercrimes in the agency's Washington field office: "We have seen over the last three years an increase in the targeting of law firms." And here's Stewart Baker, former assistant secretary for policy at the Department of Homeland Security: "There is every reason to believe that foreign governments are breaking into American law firm networks."
With all of that in mind, the following are my "4 Top Tips" for small businesses looking to prevent cyberattacks, bearing in mind that there is a lot more to each of these than we have room for in this blog post:
1. Know what you are defending: Many small firms don’t have a clear picture of their digital assets or where they reside. Have a session where management and IT review the following (even if the sum total of management and IT at your firm is only two people):
a. data that comes into the firm (e.g. work orders, customer information),
b. data the firm creates and stores (e.g. project designs or research notes), and
c. data that is allowed or required to leave the firm (e.g. reports to clients).
In addition to this “data audit” you need to perform a “network audit” to make sure you know what equipment is on your network and what devices are connecting to the Internet and/or phone lines (e.g. is the Sales Team logging in to the office network from the road to access customer records, is your photocopier calling home to the manufacturer). When you get a clear picture of where the sensitive data is, and who has access to it, then you can put some rules in place.
2. Have rules: A written information security policy or plan is essential for all small businesses these days and may even be required by law (e.g. if you handle information about health matters or citizens of the state of Massachusetts). There can be a big upside to putting such a plan or policy in place because many larger firms are requiring them from the smaller firms who are their suppliers. In other words, you could beat out the competition for a contract if you have a security policy in place and they don’t. A few months ago I recorded a webcast on cybersecurity policy for SMBs that you might find useful (registration required).
3. Enforce the rules: The catch with security policy is that you need to enforce it. That includes sanctioning people who violate the rules but also educating all your employees about what the rules are. It is not unusual for a large company to insist that an approved vendor or contractor show evidence of a program of security awareness for its employees, even if they are a small firm. You can find more about this topic in these slides: Cybersecurity Policies and Best Practices: Protecting small firms, large firms, and professional services from malware and other cyber-threats (PDF).
4. Start with stronger passwords: This sounds like a very low tech tip but it has a high reward. Educate employees on what constitutes a strong password. Make them use strong passwords on all systems including smartphones and tablets. Change the default password on routers and point-of-sale equipment. The good news here is that over 60 percent of all data breaches in 2011 could have been prevented with cheap and basic security measures. That’s according to the Verizon Data Breach Investigation Report, which found over 90 percent of breaches were avoidable if security measures classified as basic or moderate had been in place.
As for responding to an incident, being prepared is more than half the battle. A good first step is to know who in local law enforcement deals with cybercrime and also get to know your local FBI office. The latter should be ready and able to respond to major intellectual property cases or bank fraud. And the FBI now has access to an improved range of tools and resources if you are prepared to “make a federal case” out of an incident. The Federal Trade Commission has a useful page of tips for businesses that do suffer a data breach.
Leave a comment and let me know if you find this content helpful. If so, we can add more tips like this in the future.
Author Stephen Cobb, ESET