How Secure Should My Firm Be?by
Security strategies are more about creating a culture than implementing a product. There are certainly threats, as I’ll describe in this article, but there are also legal risks and hard costs to businesses, including the risk of business failure.
Here are a few points that I’ll cover in this article – and in greater detail at my session at this year’s Accountex 2016 conference:
- Description of the issues
- Legal and compliance risks
- Incident response
- IT considerations
- Tools and techniques
- Five-step plan for security
- Avoiding identity theft
Cybersecurity Risks for Small Firms
Cybersecurity continues to grab headlines for sensational and large-scale breaches, but a few numbers help drive home the need in small firms. Dell SonicWALL has currently identified no less than 1,700 variants of the CryptoLocker malware alone.
The latest variants include the ability to:
1. Start an infection after business hours.
2. Begin encryption without communication back to a key server.
3. Infect any remote access profiles used by Remote Data Services (formerly Terminal Services) or Citrix.
Another common security initiative is PCI compliance for anyone that accepts credit cards. PCI has four levels of compliance with 12 requirements, according to the PCI Security Standards Council (PCI SSC), based on the transactions processed per year:
- Level 1 – Over 6 million credit card transactions
- Level 2 – 1 million to 6 million transactions
- Level 3 – 20,000 to 1 million transactions
- Level 4 – Less than 20,000 transactions processed
Failure to comply with Level 4 forces a company to comply with the much more restrictive Level 1 requirements. In effect, this can make small businesses unable to accept credit cards, which for many businesses would be a death knell.
PCI compliance is simply one of the legal and compliance risks from a cybersecurity perspective. PCI compliance is aided greatly by proper firewall implementation and maintenance.
Back in 2003-04, most cyberattacks were mischievous. By 2005, the profit motive had arrived and organized crime entered the malware scene with the early versions of ransomware. Fast forward to 2012, and threats started to become persistent and complex.
Today, the weakest links remain the user and the devices that they use, particularly involving user names and passwords. One solution in this area is multifactor authentication – something you have and something you know. Product solutions here include Duo, AuthAnvil, Google Authenticator, and multifactor authentication for Microsoft Office 365 users.
What are some of the other risks? A partial list includes: ransomware, other viruses and malware, the “Internet of Things,” cyberespionage, cybertheft/crime, insecure passwords, BYOD, unauthorized data access, data stored improperly without controls, privacy and regulation, and staff engagement.
Risks by device type include:
- Corporate servers, which are frequent targets.
- Insecure desktops, which can be a conduit to corporate servers.
- Lost and stolen portable devices, which pose two additional risks – security of data on the device and the ability of the device to access servers.
Finally, public cloud access is a real opportunity for hackers. In the days of the 1930s gangsters, when Willie Sutton was asked by reporter Mitch Ohnstad why he robbed banks, Sutton replied, “Because that’s where the money is.” The quote evolved into Sutton’s law.
Today’s hackers are going after cloud providers on a daily basis because of the massive opportunity for financial gain. Currently, it is 234 days, on average, before a breach is discovered after the initial intrusion.
When you consider the Dropbox breach that triggered 68 million password changes or the SWIFT breach resulting in multimillion dollar transfers, risk and breaches are everywhere and it is hard as a small business to choose and afford the right resources. SWIFT is used to transmit foreign exchange confirmations, debit and credit entry confirmations, statements, collections, and documentary credits. These breaches make some far-fetched movie plots seem feasible!
Components of a Cyberattack
What are the elements of a cyberattack? These components exist in almost every style of attack:
- Endpoint: The target of the attack (individual PCs, servers, or networks). The purpose of the attack is to control, corrupt, or disable the endpoint.
- Vulnerability: The weakness that permits the endpoint to be penetrated. Vulnerabilities include software flaws, system design weaknesses, insecure configurations, and human errors.
- Malware: Malicious software. There are many different types of malware, and attacks often involve more than one.
- Delivery vehicle: Malware is delivered to victim machines through a variety of techniques, from social engineering (phishing) to USB sticks.
- Method of execution (MoE): The means through which attackers get the resources necessary (access, processing time, data, etc.) to execute an attack.
We’ll discuss the various types of malware and ransomware in detail during my Accountex 2016 session. Here I’ll just note that small businesses should have an incident response plan for malware attack – just like they should have a business continuity/disaster recovery plan. In the session we’ll discuss how to create the plan, the appropriate contacts with legal authorities, and the appropriate actions to take.
Creating an Appropriate Cybersecurity Strategy
Policies, standards, and guidelines are needed to create an appropriate cybersecurity strategy. What do these three components consist of?
A policy is typically a document that outlines specific requirements or rules that must be met. An Acceptable Use policy would cover the rules for appropriate use of computers, network, email, Internet, etc.
A standard is typically a collection of system-specific or procedural-specific requirements that must be met by everyone. A standard may be developed that describes how to harden a Windows 10 workstation for placement on an external network.
A guideline is typically a collection of system-specific or procedural-specific suggestions for best practice. Guidelines are not requirements, but are strongly recommended.
What are some examples of the policies you should include?
- Acceptable Use Policy
- Password Policy
- BYOD Policy
- IT Security Plan and Policy
- Records Retention Policy
- Sensitivity Policy
- Social Networking Policy
- Website and Portal Use Policy
- Clean Desk Policy
- Tech Equipment Disposal Policy
- Email Policy
- Mobile Device Encryption Policy
- Removable Media Policy
- Disaster Recovery Policy
Sample policies are available from SANS.org, one of our favorite places to recommend on security-related matters.
There are technical issues that you’ll want to address with your team as well. Firewalls, infrastructure setup, ongoing IT responsibilities, and user protections are the general categories, with a number of specific issues to review in each case. Cisco, Microsoft, and SANS.org all have guidelines in these areas.
Minimally, you should have anti-virus protection and encryption plus a strong firewall. You should also consider Identity & Access Management (IAM) and Security Information & Event Management (SIEM).
IT and security professionals can easily make cybersecurity the entire focus of their careers. While this article provides high-level guidance, there are many details that need to be added and understood for you to achieve reasonable protection for your business and that of your clients. I hope to see you at my pre-conference session on Cybersecurity: Threat Analysis to discuss more details.
Note: Security breaches grab plenty of headlines. How much is sensationalism, and how much involves real risk to your business and your clients’ security? A lot more than you think!
You should consider how and what you need to be “secure enough.” So, what have you done lately?
Randy Johnston is a well-known technology expert, consultant, trainer and speaker. He will be speaking at the upcoming Accountex USA 2016 event, Nov. 15-18 in Las Vegas during the aforementioned sessions. The original post appeared on the Sleeter Group blog. AccountingWEB and Accountex have partnered to bring you this content as we share a belief in the furtherment of the profession through greater insights.
Randy Johnston is a nationally recognized educator, consultant, and writer with over 40 years experience in Strategic Technology Planning, Accounting Software Selection, Paperless, Systems and Network Integration, Business Continuity and Disaster Recovery Planning, Business Development and Management, Process Engineering and outsourced managed...