Protect Your Small Business From Being a Target

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.huffingtonpost.com/michael-hall/protect-your-small-busine_b_5830762.html

Over the last year, data breaches in businesses have been big news: Target,
Home Depot, eBay, LinkedIn ... but this only happens to large businesses,
right? Wrong.

The Target breach actually occurred when an employee of a small HVAC
company opened a malware-laced email, allowing the HVAC company's system to
be hacked. It just so happened that this particular company was contracted
with one of the Target stores and had remote access for maintenance
purposes. This allowed the hackers who accessed the little guy to jump
right into the big guy's system and gather more than 40 million debit and
credit card numbers from Target's point of sale (POS) system. But the
initial target was the small HVAC company.

The variety of ways that cyber criminals can intrude your computer network
and gather private information is staggering. And the truth is they often
specifically target small businesses because they don't have the time,
attention or funds to provide the same security measures as large
companies, making them easier to infiltrate.

So what precautions can you take? Here are some essential data safety
practices that businesses of any size should use.

Secure Your Website

Increasingly popular forms of cyber crime involve injecting malware into
innocent, unknowing, legitimate websites. Once it's slipped into the code
of a website, it sits and waits to infect site visitors. To prevent this,
scan your website daily for malware and implement an "always on SSL."

Use Encryption

Scrambling data in a way that can only be unscrambled with the correct key
prevents anything intercepted from being readable or useful. Use this
technique to secure any information traveling from one computer to another
through email, an external device, etc.

Always Update, Always Patch

As software vendors recognize vulnerabilities in their products, updates
and patches are developed and distributed. This is probably the easiest
security measure you can take: simply turn on automatic updates.

Use Effective Passwords

Weak passwords are an easy way for someone to access your company's
restricted data. They should be at least eight characters long and include:
a mix of upper and lower case letters, at least one number and a special
character. You can also use a string of three words together, such as
3w0rdSmushedTo{gether.

It's vital to use different passwords for each account and to change them
every few months. Otherwise, a hacker only needs to crack one to access
everything. A good password manager program can keep this from being
overwhelming.

Implement A Social Media Policy

Most of your employees use Facebook, and any information shared on social
media, even if "private," can be found and distributed. That includes any
confidential or proprietary information from or about your business.

Create a social media policy that clearly states what can and cannot be
shared about the business via social media and outline consequences for
failing to abide by the rules.

Defense-in-Depth

Defense-in-depth is a strategy that employs overlapping security controls
and monitoring systems. The purpose is to identify and reduce
vulnerabilities, as well as log activities for later review. Tools used in
this type of strategy include antivirus and anti-spam applications,
firewalls, privacy controls and activity monitoring systems.

The best defense-in-depth tactics depend on a variety of factors that
differ between each individual business. An IT security professional can
help customize the right strategy for your business.

Secure All Devices

Any device used on the company network, including personal devices and
vendors with remote access, should follow all of the company's security
protocols before being granted access to the network.

Removable media such as flash drives can introduce malware, so set up all
devices to automatically scan for viruses and use data loss prevention
(DLP) software to restrict the copying of confidential data onto
unencrypted media.

Back Up

No matter what precautions are in place, a data breach is still possible.
Your business may be the victim of a malicious computer virus that shuts
down your operation or a ransomware virus, which scrambles your data and
then demands money in return for the encryption key. The best way to
recover from something like this is restoring from a backup. Consult an IT
professional to determine the best way to back up all the devices used for
your business and check regularly to be sure the system is operating
properly.

There are thousands of criminals interested in gathering your important
electronic data via a variety of means that can be deployed through email,
websites, web browsers, social media, clickable ads, external devices such
as flash drives, physical theft and more. No business is safe.

The idea is to recognize vulnerabilities that would allow hackers in to
compromise your company and clients. Once these weaknesses are identified,
you should work with an IT professional to reduce risk as much as possible
while still supporting a functional system.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!