Some alarming statistics were cited in an article recently posted by USA Today concerning compromised data
“The number of data breaches resulting in exposed records is up by 54% year over year in the first half of 2019, and the number of records exposed in those breaches is up by 52%. More than 3,800 data breaches were reported in the first six months of this year, and just eight of those exposed more than 3.2 billion records, nearly 80% of all records exposed so far in 2019.
In the first three months of 2019, some 1.9 billion records were exposed in 1,903 recorded data breaches, implying that 1.4 billion records were exposed in the second quarter. There were three breaches in the first quarter and five in the second that resulted in the exposure of 100 million or more records each, according to Risk Based Security, the research and security firm that issued its 2019 Midyear Quickview Data Breach Report Thursday morning. All told, those eight breaches exposed 3.2 billion records.”
If you’re like me, it seems every time you see the news, you learn of yet another data breach involving a financial services firm, a large retailer, or a healthcare company. The article cited above goes on to say that “the business sector is responsible for nearly 85% of the exposed records.” This makes sense given the richness of these targets, both in terms of the sheer number or records and the acquisition of private data that can be used for authentication. As a business owner, these are the kinds of things that can keep you awake at night!
I am not sharing this with you to cause a panic. Primarily, I want to encourage taking some practical steps toward securing your network from external and internal threats. This nudge may be necessary for business owners who believe they are not large enough to be a viable target. Secondarily, we recognize this subject can be overwhelming for the average business owner considering the many potential vulnerabilities.
Here are several facets of cybersecurity that need your attention:
User Training & Testing
- Since many breaches begin with social engineering enticing users to open a link or attachment, consistent user training and awareness is critical. We like KnowBe4. It is affordable and effective in helping your users be aware of the typical tricks as well as increasing their vigilance.
An updated firewall
- Your firewall should be regularly (and preferably, automatically) updated on a schedule. Top tier vendors alert you or your technical staff when critical emergency updates are needed based on any newly discovered threat pattern.
- Intrusion detection and alerts should be configured to enable quick response.
- Consider replacing these devices with new models every 12-24 months to take advantage of hardening against the latest threats.
- Must be installed on all devices with potential to connect to your network. Ideally, implement a policy preventing connection to your network for any device lacking company-approved security software.
- Notifications should be sent to technical personnel for quick attention and remediation.
Limit physical access
- Server and network gear should be located in a secured environment with appropriate climate control and power conditioning. Only authorized personnel should have access.
- Flash Drives and other media should only be used when absolutely necessary. Encrypted media is a great step in the right direction. Denying the use of these devices is best. Interact with your clients or vendors via a secure portal to mitigate risk.
Employ strong password policies
- Require strong passwords (use words not found in the dictionary; security increases with the length of the password; random password generators are helpful and are included with apps like LastPass (password manager). These apps can aid you in creating unique passwords for every site or service you access.
- Require periodic changes to passwords and ensure password uniqueness is employed.
- Default Administrator passwords should be changed upon first use! Only authorized personnel should ever have access to these credentials and password policies should be strictly enforced, as stated previously.
- Some devices allow you to rename the administrator account enabling “security by obscurity.” This tactic should be employed when practical.
Multi-factor authentication (MFA)
- Almost everyone has been exposed to this approach if you are using the Internet to access your bank account, financial service providers, or healthcare information. Many vendors can help with implementation of MFA which significantly reduces the risk of password-related data breaches!
Secure remote access
- Use secure connection protocols to connect remotely to network resources (SSL or VPN).
- Avoid using public unsecured WiFi in public places for accessing the company network.
- Consider mobile device management to mitigate the risk in the event of theft. Data on these devices should be encrypted or prohibit local data storage.
- Limit access to private networks to only registered devices and avoid IoT (Internet of Things) devices.
Segregate Public (Guest) and Private networks
- Public WiFi networks should be blocked from private network access.
- Inbound ports should be limited to mission critical communication protocols and employ policy-based routing.
Operating System/Application Updates
- These updates should be centrally administered and applied automatically where possible. Users should be trained concerning the critical nature of updates for addressing known vulnerabilities and compliance with the update policy should be strictly enforced.
- Backups have proven invaluable not only to companies that have lost data due to hardware failure or user error but also to those that have been infected with ransomware.
- Backups should be done on a regular schedule with a frequency considering a data value assessment and data volume.
- Test restores of backed up data should be done on a regular basis.
Limit administrative account access to only authorized personnel.
Ensure you are in compliance with your merchant services provider’s payment card data security policy.
If you are uncertain about any of these facets of cybersecurity, you should consider a vulnerability assessment performed by your internal IT staff or a reputable vendor. Make sure you are able to confirm that all these areas are addressed and that a process is implemented for effective, timely maintenance.
Finally, in the event all the defenses fail or the bad guys get a step ahead, cybersecurity insurance is a critical investment. The insurance provider can help with appropriate legal and practical responses in the event of a breach in addition to covering or offsetting the resulting monetary damages up to policy limits.