The year is 2013 and only now, we are starting to see businesses start to take cyber security seriously. Why did it take so long for the business world to wake up to the threat? Well they have always been aware of the threat but the bottom line and the cost benefit analysis of securing ones data did not come out on the side of security. To quote the Department of Homeland Security, “For business owners, protecting cyberspace is part of their bottom line. Cyber-crime can mean financial loss for businesses both large and small. To address emerging cyber threats, we must acknowledge our shared responsibility to Achieve Cyber security Together.” (Department of Homeland Security, 2012)
So what did it take for business to realize that they needed cyber security? First, we must realize that security is nether, cheap nor convenient, tough’s two things alone make it unpalatable for most businesses. Up until about five years ago, most cyber security breaches did not generate significant loss of profits to justify the expense of securing their data properly.
So what changed you might ask, well it was the advent of the hacker groups like Anonymous, LuzSec, and the predominance of state sponsored corporate espionage being conducted by countries like China. (Vance, 2013) Furthermore, the losses from a security breaches can now run into the hundreds of millions of dollars. The Sony Playstation network hack of April 2011 affected 77 million users and cost the company $170 dollars in damages. (Williams, 2011) Let’s look at some basic things you can do to practice good information security in cyberspace.
First and foremost, you must train employees in security principles, as they are your first line of defense against malicious access. Establish basic security practices and policies for employees, such as requiring strong passwords, and establish appropriate Internet use guidelines that detail penalties for violating company cyber security policies. Establish rules of behavior describing how to handle and protect customer information and other vital data. (Federal Communications Commission, 2013)
Next you must take active steps to protect information, computers and networks from cyber-attacks. Keep clean machines: having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available. Enable system event logging and never allow users to have admin level access to a machine. (Federal Communications Commission, 2013)
In addition, you must secure your connection to the internet, this can be done by installing a firewall. A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system’s firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall. (Federal Communications Commission, 2013) Depending on the level of data you are trying to protect, you might even consider a layered firewall protecting critical systems inside your network and limiting traffic to only users inside your organization.
I can never say this enough, Back-up, Back-up, and more Back-ups. Make backup copies of all your important business data and information. Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud. (Federal Communications Commission, 2013) With the advent of recent rash of Ransom-ware infections, I would also recommend off line back-ups. (Goodin, 2013)
Friends don’t let friends have weak passwords and authentication. Require users to use unique passwords and change passwords every three months. Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multi-factor authentication for your account. (Federal Communications Commission, 2013) Passwords are easier to crack than ever before due to modern algorithms and advanced rainbow tables. This leaves multi-factor authentication the only real choice if you are serious about protecting your network data. (Goodin, “thereisnofatebutwhatwemake”—Turbo-charged cracking comes to long passwords, 2013)
Lastly, prevent one of your employees from being the next Ed Snowden. Limit employee/user access to data and information, limit authority to install software. Never provide any one employee with access to all data systems. Your employees should only be given access to the specific data systems that they need for their jobs, and they should not be able to install any software without permission. Accounts for departed employees should be purged the day they leave and any accounts showing no use for more than 30 days should automatically be locked out.
Business Information Security, it is not cheap nor convenient, but it makes good sense!
Works Cited
Department of Homeland Security. (2012, 10 16). Working with Businesses to Secure Cyberspace. Retrieved from Department of Homeland Security: http://www.dhs.gov/blog/2012/10/16/working-businesses-secure-cyberspace
Federal Communications Commission. (2013, 10 19). Cybersecurity for Small Business. Retrieved from Federal Communications Commission: http://www.fcc.gov/cyberforsmallbiz
Goodin, D. (2013, 08 26). “thereisnofatebutwhatwemake”—Turbo-charged cracking comes to long passwords. Retrieved from ars technica: http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/
Goodin, D. (2013, 10 17). You’re infected—if you want to see your data again, pay us $300 in Bitcoins. Retrieved from ars technica: http://arstechnica.com/security/2013/10/youre-infected-if-you-want-to-see-your-data-again-pay-us-300-in-bitcoins/
Vance, M. A. (2013, 03 15). China Corporate Espionage Boom Knocks Wind Out of U.S. Companies. Retrieved from Businessweek: http://www.businessweek.com/news/2012-03-15/china-corporate-espionage-boom-knocks-wind-out-of-u-dot-s-dot-companies
Williams, M. (2011, 05 23). PlayStation Network Hack Will Cost Sony $170M. Retrieved from pcworld.com: http://www.pcworld.com/article/228391/article.html