Richard Bejtlich, FireEye
Digital defense is often a challenge for small- and medium-sized businesses. SMBs frequently lack the computer security staff and resources found in larger corporations. It's just not economical. This article shares seven tips for SMBs, with an emphasis on low- or no-cost solutions.
1. Identify and minimize information assets. Do you really need that data? This question prompts the user to consider whether the data they collect, store or transmit is truly necessary for business operations. Sometimes, outside regulators seek to control data, as is the case with the Payment Card Industry Data Security Standard (PCI DSS). Even when not regulated, everyone, from corporate employees to home users, should think about the sorts of data they manipulate. The best way to keep sensitive data out of the hands of criminals might be to never let it exist in digital form.
2. Keep sensitive data off the network as much as possible. Everyone has sensitive data, but not all that data needs to be connected to a network. For example, a company processing tax returns could keep that information on systems not connected to the Internet. Alternatively, sensitive data might reside on external hard drives that are attached to a PC or laptop when needed, and detached when not needed. If a criminal can't reach sensitive data because it is off the network, he can't read, steal, or delete it.
3. Provision a separate PC for sensitive business functions, like banking. SMBs should identify one or more computers to be used only for sensitive functions, like electronic commerce. The PC used to transfer money from one account to another should only serve that function. Users should not check their email, browse random Web sites, connect USB thumb drives, or take any other actions on the "e-banking PC." Criminals want to steal the usernames and passwords associated with bank accounts, but their job is a lot harder if users never check email or Web sites on the computer they use for doing banking. If possible, only connect this PC to the network when doing electronic commerce.
4. Enable two-factor authentication (2FA) wherever possible. 2FA refers to practices that require users to log into accounts using something more than a username and password. Some readers may be familiar with tokens that flash a new six-digit code every minute or so. Free solutions, like Google Authenticator are another option. Some sites provide users with the option of adding a code sent via Short Message Service (SMS) texts, sent to mobile phones. No solution is hack-proof, but whatever option a service provides above and beyond simple usernames and passwords, users should test and adopt.
5. Leverage trustworthy cloud solutions. Most computer users aren't interested in being information technology experts. Many SMBs can't afford in-house IT departments, or don't consider IT as a core business function. In these cases, companies should evaluate cloud providers. Theoretically, a cloud provider can hire the necessary expertise to keep data secure, and scale that expertise across the customer base. The trick is identifying trustworthy cloud providers. Ask or research the following questions: 1) what government agencies subscribe to the cloud solution, and 2) what documentation can the cloud provider provide concerning its security practices? Cloud providers who fail these two tests may not yet be ready for conscientious SMB customers.
6. Join Infragard. Infragard is a non-profit organization run by the US Federal Bureau of Investigation. The FBI created Infragard in 1996 to assist the private sector with cyber defense. Infragard maintains chapters in virtually every major city across the country. These chapters hold regular meetings with content designed to educate attendees on cyber threats and mitigations. Such events allow attendees to learn from each other, and also meet their local FBI agents. Organizations should become acquainted with their respective law enforcement agents prior to any serious security incident. The worst time to first meet an FBI agent is when you need that agent's help with a computer intrusion.
7. Treat cyber security as a business problem, not a technical problem. Business leaders have traditionally considered cyber security to be a problem for the IT staff. Executives thought that if they just bought the right software, they could "solve" the "hacker problem." However, the pervasiveness and consequences of digital breaches have encouraged those leaders to properly consider digital defense as a business problem. No one buys a software package to manage human resources, believing that the new application has "solved" hiring, retention, and other personnel challenges. No one subscribes to a cloud-based sales solution, thinking that they have "solved" their customer acquisition and satisfaction problems. In a similar way, executives will find security software to be necessary, but not sufficient, to address hacking woes. It is important for leaders to devise a security strategy appropriate for their business, then execute on that strategy on a daily basis.