Cybersecurity Tips For Small Businesses – Part 2 of 3

All businesses, of all sizes, are vulnerable to cyber attacks and breaches. Even the smallest family owned company on Main Street, USA.

Heather Engel, EVP of Sera-Brynn, recently hosted a roundtable discussion with local business professionals at the Virginia Peninsula Chamber of Commerce to discuss the basics of how to mitigate cyber risk by identifying vulnerabilities, testing them against a wide array of threats, and assessing compliance against suggested and mandatory compliance standards.

This is the second piece of a three part series where Engel answers questions and provides cybersecurity tips for small businesses. Read Part 1 and Part 3.

Understanding the cost of credit cards and the risk in the United States.

In 2013, credit card fraud in the United States totaled $7.1 billion. The rest of the world’s total? $6.8 billion. Why? Because the United States is not yet using the Clearing House Interbank Payments System (CHIPS).

CHIPS is the largest private-sector U.S.-dollar funds-transfer system in the world, clearing and settling an average of $1.5 trillion in cross-border and domestic payments daily.

But there is good news.

Europay, MasterCard and Visa (EMV) will be implementing CHIPS in businesses, making its use mandatory by October 2015. It will lead to improved security for businesses and consumers when we make point of sale (POS) purchases.

What will this look like? New technology for businesses to use that will further encrypt credit card numbers and generate a number for a one-time use from the credit card number. This equals additional security for the business and the consumer. Businesses who implement this change poorly will remain vulnerable to hackers.

Technology does not equal security.

There is no product on the market that you can buy and stick on your network to protect you completely. A “cyber silver bullet” simply does not exist. That’s because risk management has many tentacles. Understanding the correct product for your business is most important. Seventy to 90% of malware, for example, is created or customized to breach a specific organization, making any patches you’ve downloaded or virus systems you’ve purchased possibly only part of the solution. Be sure to look at your complete business. And don’t just rely on one piece of technology to protect your company.

Compliance does not equal security.

Just because you have every single box checked in the compliance arena does not mean you are 100% secure. Protecting your business requires compliance, insurance and response plans. If you have compliance regulations that you have to adhere to – think PCI for anyone that processes credit card information – those regulations will set the framework for where you want to spend your money. Compliance will determine fines, fees and penalties, likelihood of litigation, insurance and cost of remediation and vendor management. But you need to also ensure you have a plan – a response plan – for when (not if) you are breached. You also need to ensure you are insuring your business to help in the event you are breached.

Know what information to protect.

If you have client, HR or intellectual capital information to protect, it is imperative that you understand what that information is and how you protect it. Ignorance of the information that you have and the sensitivity is not an excuse for loosing it.

Have an Incident Response Plan.

At the very least, note the following: if you are connected to a network and suspect an attack, disconnect from the network to prevent the attack from spreading. Do not shut your computer down.

Having an Incident Response Plan has proven to decrease the cost of a breach.

The first call after a suspected breach should be your legal team. A data breach of varying degrees always involves recovery, forensics, public relations and internal communications.

The most important thing is to understand what to do and who to call.

Success is measured in hours, not weeks.

Determine and control accessibility.

Think technology, process and people when looking to control who can access what on your systems.

Technology: You can put different technologies in place if you feel they are warranted, control access to specific sites and only allow certain users on the network, and install a monitoring system to know when certain users are visiting sites.
Process: Create processes that stipulate who and when certain people are authorized to go to specific sites for work related purposes. Write the process down and distribute it company wide. Enforce it.
People: Use remedial training for employees. Teach employees that clicking on unfamiliar links can lead to malware. Train employees to stay safe online.