Business Owners!, What do need to do to be a Cyber leader for your business?

 Being a cyber leader does not require technical expertise, but rather an ability to change the culture of your organization. Reducing your organization’s cyber risks requires awareness of cybersecurity basics. As a leader, you need to drive your organization’s approach to cybersecurity as you would any other hazard (e.g. how you identify risk, reduce vulnerabilities, and plan for contingencies). This requires an investment of time and money, as well as the collective buy-in of your management team. Your investment drives actions and activities, and these build and sustain a culture of cybersecurity.

Approach cyber as a business risk. Ask yourself what type of impact would be catastrophic to your operations? What information if compromised or breached would cause damage to employees, customers, or business partners? What is your level of risk appetite and risk tolerance? Raising the level of awareness helps reinforce the culture of making informed decisions and understanding the level of risk to the organization.

Determine how much of your organization’s operations are dependent on IT. Consider how much your organization relies on information technology to conduct business and make it a part of your culture to plan for contingencies in the event of a cyber incident. Identify and prioritize your organization’s critical assets and the associated impacts to operations if an incident were to occur. Ask the questions that are necessary to understanding your security planning, operations, and security-related goals. Develop an understanding of how long it would take to restore normal operations. Resist the “it can’t happen here” pattern of thinking. Instead, focus cyber risk discussions on “what-if” scenarios and develop an incident response plan to prepare for various cyber events and scenarios.

Lead investment in basic cybersecurity. Invest in cybersecurity capabilities for your organization and staff. This includes not only investments in technological capabilities, but also a continuous investment in cybersecurity training and awareness capabilities for your organization’s personnel. Use the Cyber Essentials to have conversations with your staff, business partners, vendors, managed service providers, and others within your supply chain. Use risk assessments to identify and prioritize allocation of resources and cyber investment.

Build a network of trusted relationships for access to timely cyber threat information. Maintain  situational awareness of cybersecurity threats and explore available communities of interest. These may include sector-specific Information Sharing and Analysis Centers, government agencies, law enforcement, associations, vendors, etc.

Lead development of cybersecurity policies. Business leaders and technical staff should collaborate on policy development and ensure policies are well understood by the organization. Perform a review of all current cybersecurity and risk policies to identify gaps or weaknesses by comparing them against recognized cyber risk management frameworks. Develop a policy roadmap, prioritizing policy creation and updates based on the risk to the organization as determined by business leaders and technical staff.

(Source: CISA)

Ten key cybersecurity tips to protect your small business

 Information technology and high-speed Internet are great enablers of small business success, but with the benefits comes the need to guard against growing cyber threats. As larger companies take steps to secure their systems, less secure small businesses are easier targets for cyber criminals.

1. Train employees in security principles. Establish basic security practices and policies for employees, such as requiring strong passwords and establish appropriate Internet use guidelines, that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.

2. Protect information, computers, and networks from cyber attacks. Keep clean machines: having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available.

3. Provide firewall security for your Internet connection. A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system’s firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall.

4. Create a mobile device action plan. Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.

5. Make backup copies of important business data and information. Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud.

6. Control physical access to your computers and create user accounts for each employee. Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.

7. Secure your Wi-Fi networks. If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.

8. Employ best practices on payment cards. Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet.

9. Limit employee access to data and information, and limit authority to install software. Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.

10. Passwords and authentication. Require employees to use unique passwords and change passwords every three months. Consider implementing multifactor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account.

Source: FCC

Is your small business compliant with Data Security Regulations?

 Develop a WISP that helps you be compliant with Massachusetts’s data security regulations

At Compliance+ Security, we help small businesses safeguard their customers', employees', and contractors' Personal Identifiable data. The most helpful safeguard is to comply with the law and to protect data by developing a Written Information Security Program (WISP). A WISP is a document that details an organization’s security controls, processes, and policies, and must be tailor-made to fit business’s needs and to comply with the law.

You value your data, and so does a hacker

A common misconception that my clients have is that breaches only happen to big businesses. There are notable examples from Equifax, Yahoo!, LinkedIn, Facebook, and others where a single data breach compromised millions of individual’s data at once. But the data reveal a different story. The data show[2] that the vast majority of data breaches affect smaller population of 1-10 individuals at a time. Every business, large and small, is a target for hackers and malicious actors to acquire personal data. Even though attention is paid to the big breaches, there are hundreds of little breaches that happen every day.

Reality of numbers

In 2021 so far,* there have been 2,188 reported data breaches in Massachusetts, affecting over 1 million residents. At this rate, by the end of the year, there could be as many as 1.5 million Massachusetts residents that have had their information compromised, just in this year alone.

Massachusetts’s data security regulations have teeth

Massachusetts has made significant efforts to protect residents from data breaches. These efforts include passing Chapter 93H and pursuant regulations published by the Office of Consumer Affairs and Business Regulation (OCABR)[4]. These regulations apply "to all persons that own or license personal information about a resident of the Commonwealth." Personal information includes: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number [5]

Chapter 93H authorizes the Attorney General to bring action which can include Court-ordered relief such as injunctions, consumer restitution, and civil penalties.[6] Civil penalties can be up to $5,000 for each violation, plus the cost of investigation and litigation. In some cases, the damages could be trebled. 

The landmark case of Commonwealth v. Equifax, Inc., No. 1784CV03009BLS2, 2018 WL 3013918 (Mass. Super. Apr. 3, 2018) demonstrates just how deep the teeth can be in this law. In that case, the Attorney General alleged that Equifax "knew or should have known about the data breach by July 29, 2017; and that Equifax waited to provide the required notice until September 7, 2017"[7]. After their motion to dismiss was denied, Equifax settled with the Attorney General for $18.2 million[8].

Don’t be the next Equifax. Equifax could have avoided the whole litigation if they implemented safeguards for their data, reported the breach and followed the rules set forth in Chapter 93H. The good news is that Chapter 93H and supporting rules allow companies to implement safeguards that are appropriate to the size, scope, and type of business, and the amount of resources available. The bad news is that businesses of all sizes need to provide 18 months of credit monitoring to all residents affected by a breach. Assuming a cost of approximately $15 to $25 per affected resident, providing credit monitoring alone adds up quickly for a small business.

Reach out to us to learn more. We offer free consultations to help you develop a WISP that is tailored to your business needs, be compliant with the law, and safeguard your customer’s data. 

FOOTNOTES:

*As of September 8, 2021, Data Breach Notification Report

[2] https://www.mass.gov/lists/data-breach-notification-reports

[3] General Laws Chapter 93H

[4] MA Data Security Regulations - 201 CMR 17.0

[5] 201 CMR 17.02. 

[6] MGL c. 93H, Section 6; MGL c. 93A, Section 4

[7] Commonwealth v. Equifax, Inc., No. 1784CV03009BLS2, 2018 WL 3013918, at *3 (Mass. Super. Apr. 3, 2018)

The publication contains information about regulations, laws, enforcement, penalties, court cases pertaining to data security regulations, data breach notification laws, and data destruction laws. The information is not legal advice, and should not be treated as such. This publication, which may be considered advertising under the ethical rules of certain jurisdictions, should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This newsletter is intended for general information purposes only, and you should consult an attorney concerning any specific legal questions you may have.

Cybersecurity: Seeking complex solutions to simple problems

I recently saw the movie: "The Boy Who Harnessed The Wind" on Netflix. It made me think, that solutions to complex or even existential problems could be very simple . For some of us who are in cyber security field we are quite the opposite. We tend to view cybersecurity strictly from technology viewpoint, ever searching for complex solutions and complex procedures for simple problems.

Take for example, migration to cloud. Before I took upon an in-depth study of cloud paltform, I was led to think of cloud as something very complex requiring very specialized skill sets. Frustrated with this mind-set, I decided to take on the study of Amazon Web Services (AWS) Solutions Architect. As I went through the course, I found that working in the cloud was more simpler than that in on-premise environments. A few clicks and you can have web servers and applications running. I remember spending days building web servers and making applications run on a bare-bone box which IT would hand me over. Perhaps that hands-on experience made it easy to understand the cloud. That hands-on experience taught the fundamentals and a tendency to seek simplicity even in most complex situation.

Many of the vulnerabilities listed on OWASP Top 10 have been there for many number of years. For example, Injection flaws or Cross Site Scripting. One possible explanation could be, rather than addressing the root cause, most security professionals and developers tend to focus on complex coding approach. I have designed the applications at user interactions level and the backend processing level, focusing primarily to eliminate the root cause. And that has worked. Once you address or eliminate the root cause, complex coding would simply be decoration that would enhance the robustness of the application.

Cybersecurity as Value Add to business

Compared to the past practices, every business has been adopting digital technology in how they do business. And now, companies have responded to the coronavirus pandemic by moving as many processes as possible to digital formats. However, the pandemic merely accelerated the ongoing movement of businesses transforming their business processes to a digital format which started decades ago. This process is a digital transformation, and as a result, new risks to the company arise. These new risks from digital transformation comes in the form of cyber risk.

To combat cyber risk, companies should bolster their cyber security efforts. Cybersecurity is fundamental to the digital transformation because it ensures that the new business processes are safe from malicious attacks. Furthermore, the expectation from customers is that new, digital business processes are done safely and securely. 

Cybersecurity begins with mindset, being mindful about your fiduciary responsibility towards your customers, their data, their information, their assets–all of which have been entrusted to you. Cybersecurity is not about tools and technology—tools and technology are means to achieve that mindset. Just as securing your physical property begins with accepting the need to secure them and using locks and security systems as tools and technology to meet those objectives.

Cybersecurity is not about technology but it is fundamental capability of the businesses to be adaptive and resilient to changing business processes and ever-changing threat landscape.

NIST Cybersecurity Framework to deliver on the value proposition

I have been studying the NIST Cybersecurity Framework and applying the framework to organizations. The goal is to help businesses incorporate cybersecurity into all aspects of their digital practices.

The framework is outcome driven and provides activities that the organization needs to perform to achieve those outcomes. Since the framework does not mandate how an organization must achieve those outcomes, it enables scalability.  A small organization with a low cybersecurity budget is able to approach the outcome in a way that is feasible for them.

Every business already has some host of security practices—for example, passwords on email accounts are ubiquitous. The key however is identifying the gaps between,  where they the company is now, current profile, and where it should be, aspirational - target profile. We work with businesses to develop a plan or a roadmap to achieve their target profile, to ensure that cybersecurity is an integral part of all business practices from workflow, external and internal communications and that there is a corporate culture of acceptance of cybersecurity as a value-add business proposition.

All organizations have gaps in their cybersecurity practices. The goal is to identify those gaps by creating and comparing the current profiles with target profiles and to work iteratively to narrow those gaps.

Awareness Education - employees tend to be the weakest link

The threat landscape has evolved over time. In the past,  hackers and criminals were looking for vulnerabilities in the systems–networks vulnerabilities. Hackers penetrated the system by attacking the systems. Now, they prey on people and thereby gain access to the systems. People are easier to target. Hackers first introduce malware in the system through phishing emails and gain control over the organization’s assets and then through ransomware, blackmail or extort payments. Therefore, people are the weakest link falling easy prey to phishing, spear phishing, social engineering. Awareness education drives a culture of employees becoming deterrent to cyber-attacks and thereby making organizations, cyber resilient.

Cyber Security Awareness Training

ebusinessmantra is excited to announce a new security awareness training service for our clients. Engaging employee security awareness training is an effective way to protect your organization from threats like phishing. 

Our new security awareness training solution will teach your employees how to detect and avoid malicious content through attention-grabbing training modules and realistic simulations. We have over 2000 training resources in different lengths, styles and languages to inspire a culture of security at your organization.

As your service provider, we’ll handle all aspects of employee training — including implementation, management and reporting. This helps you: 

• Prevent data breaches and other security incidents.
• Meet and track security awareness compliance requirements.
• Save time and money with automated course delivery, management, and reporting.

Using the Right Tool: Web Application Scanner vs. Web Application Firewall

Web application or vulnerability scanner scans a website or web application to determine vulnerability in the application as snapshot in time. If the application is not altered and the scanner is not updated, you would get the same results every time the scan is run. In other words, a scanner’s nature is to be static in that it does not react to changing dynamics that is typical in live envrionment. From that viewpoint, scanners tend to be a good assessment tool for testing during development and pre-production or pre-release of an application.

It is important to note that scanning of production sites should be avoided at all cost, not only from the viewpoint of performance degradation but also as a potential to corrupt live database. This is an important distinction which I will refer back when comparing with web application firewall.

Commercial scanners such as Acunetix bring with it lot of additional out-of-the-box features and functionalities. They also provide tools for advanced testing and penetration testing. Thus, scanners fall under the realm of testing and would better utilized during the testing and development phases of a project.

Web Application Firewalls (WAF), on the other hand, provide real time, live monitoring of the application. They monitor every request coming to the web server, while the application is in the production environment. It guards the application by auditing against the security rules and configurations set manually and learnt by itself. Furthermore, WAF, such as one from Imperva, can block, alert, and apply virtual patch while the development team works on the real fix. This makes them extremely powerful in protecting live web application and live data. Contrast this with web application scanner which is not intended for production site and cannot provide protection in real time.

If the attack vector changes, the same application which was tested secure using scanner can be vulnerable to new forms of attacks. I have read many articles where the author has shown examples of websites that were hacked in spite of scanners finding them invulnerable. Again, remember, the intended time of the scanner use should be during development and testing - because of its snapshot nature. In the production environment, the dynamics are different, from configurations to network management to ever changing attack vectors.

Is are web application scanners necessary if the web application firewalls can provide the ultimate safety net?

Absolutely yes, in fact they are needed more so. First, scanning during development and testing ensures that the application is robust. A robust application is more secure with web application firewall to enhance security than a weak or vulnerable application. If web application firewall was icing, you want it on the cake not the soup.

Therefore organizations must include both the web application scanners and web application firewall.

ebusinessmantra offers web application or vulnerability scanners from Acunetix and web application firewall from Imperva. In addition, we have the right solutions and products for small to mid- size businesses.