Information Security for Small Business

Information Security, what is it, why do we care? Simply put information is knowledge and knowledge is power and like all power it can be used for good or it can be used for harm.  All businesses whether small or large deal with employee information, tax information, proprietary information, and/or customer information. If that information is compromised, it can cost you; lost revenue, destroyed reputation or the loss of your competitive edge. Protecting that information is vital hence “Information Security.”

Information Security is formally defined as “The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability”.

  • Confidentiality – protecting information from unauthorized access and disclosure.
  • Integrity – protecting information from unauthorized modification.
  • Availability – preventing disruption in how you access information.

How is Information Security different from Cybersecurity?

Cybersecurity is defined as “Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation”.

Simply put, as more and more information becomes digitally stored and processed, cybersecurity becomes a key component of keeping it secure.

Why should a small business need to worry, surely there are larger more successful companies to target?

Many businesses in the United States have been putting resources—including people, technology, and budgets—into information and cybersecurity protections.  As a result, they have become more difficult to target.  Cybercrime and those who practice it are focusing more of their effort on softer targets; like small business. A smaller business generally will not have the resources to invest that a larger business would.  Maybe they want to hold your company finances or customer database for ransom.  Maybe they just want to compromise systems to add to a botnet that can be used to launch a broader attack.  Perhaps they can gain access to a higher profile target through your role in a supply chain.  Whichever the reason small business is now a target and a lucrative one.

Cybercriminals aren’t always the threat, they may be newsworthy, but environmental events such as fires or floods, for example, can severely damage computer systems.  The overall impact of an environmental event could include damage to information systems, loss of critical business information, loss of customer trust, damage to your credit and/or loss of income.  Small business often has more to lose than big business because an event—whether a hacker or natural disaster has a larger impact on the bottom line. While there is no one stop protection plan a smaller business can make themselves a harder target by applying the concept of risk management to compensate for lack of resources.

Risk Management

Identifying what information needs to be protected, how it will be protected and then implementing and monitoring that protection, is called risk management.  Managing risk will require the input of a broad array of personnel within the business. Project managers, executives, legal, and IT personnel. Possibly your customers if you do a lot of business with them. Risk management is a continual, on-going exercise and a component of a good cybersecurity strategy.

Risk Elements

Risk is a function of threats, vulnerabilities, the likelihood of an event, and the potential impact such an event would have to the business. Most of us make risk-based decisions every day. While driving to work, we assess the weather and traffic conditions, the skill of other drivers on the road, and the safety features and reliability of the vehicle we drive.  While risk can never be completely eliminated, by understanding your risks, you can know where to focus your efforts.

A threat is anything that might adversely affect the information your business needs to run.  It can person or event driven

A vulnerability is a weakness that could be used to harm the business. Most information security breaches can be traced back to only a few types of common vulnerabilities.

Likelihood is the chance that a threat will affect your business and helps determine what types of protections to put in place.

Building your cybersecurity strategy centers around the following categories.

Identify

Determine what information your business stores and uses.  This is often the most challenging, because it is unreasonable to protect every piece of information against every possible threat.  Identify what is the critical information that will allow your business to survive.

Determine the value of your information. Ask three questions for each piece of critical information.

  • What would happen to my business if this information became public?
  • What would happen to my business if this information were incorrect?
  • What would happen to my business if I/my customers couldn’t access this information?

Determine who has or should have access to your business’s information and technology.

  • Is a key, administrative privilege or password required?  Who has access?
  • Do not allow unknown persons to have physical access to your business computers.
  • Cleaning crews and maintenance personnel
  • Unsupervised computer or network repair personnel

Conduct Background Checks, do a full, nationwide, criminal background check, and credit check:

  • All prospective employees especially if they will be handing your business funds.
  • Consider one on yourself to look for possible instances of identity theft.

Require individual user accounts for each employee including any contractors:

  • Require that strong, unique passwords be used for each account. Individual accounts tie system actions to the person who’s login was used.
  • Ensure that all employees use computer accounts without administrative privileges to perform typical work functions. (this practice is called least privilege)

Create policies and procedures for information security to identify acceptable practices and expectations for business operations, these policies:

  • Can be used to train new employees on your information security expectations.
  • Can aid an investigation in case of an incident.
  • Should be readily accessible to employees, i.e. employee handbook or manual.
  • Should have a legal professional familiar with cyber law review them to ensure they are compliant with local laws and regulations.
  • All employees should sign a statement agreeing that they have read the policies and relevant procedures, that they will follow the policies and procedures. If there are penalties associated with the policies and procedures, employees should be aware of them. The signed agreement should be kept in the employee’s HR file.

(Appendix E of NISTIR 7621 REV. 1 has sample policy and procedure statements.)

  • Reviewed annually to see if changes are needed.

Protect

Limit employee’s access to data and information. Where possible;

  • Allow employees to access only those systems and information needed to do their jobs.
  • Do not allow a single individual to both initiate and approve a transaction (financial or otherwise). This includes executives and senior managers.

Install Surge Protectors and Uninterruptible Power Supplies (UPS). Surge protectors prevent spikes and dips in power, Uninterruptible Power Supplies (UPS) provide a limited amount of battery power and provide enough time to save your data when the electricity goes off.

Patch your operating systems and applications. Any software application including operating systems, firmware, or plugin installed on a system could provide the means for an attack.

Install and activate software and hardware firewalls on all your business networks firewalls should be placed between your internal network and the Internet. Check for possible support from your ISP.

  • For these devices, change the administrative password upon installation.
  • Consider changing the administrator’s login as well.

Secure your wireless access point and networks. If you use wireless networking, set up your router as follows (view the owner’s manual for directions on how to make these changes):

  • Change the administrative password that was on the device when you received it.
  • Set the wireless access point so that it does not broadcast its Service Set Identifier (SSID).
  • Set your router to use Wi-Fi Protected Access 2 (WPA-2), with the Advanced Encryption Standard (AES) for encryption. Do not use WEP (Wired-Equivalent Privacy) it is obsolete.
  • If your business provides wireless internet access to customers, ensure that it is separated from your business network.

Set up web and email filters. Email filters can help remove emails known to have malware attached and prevent your inbox from being cluttered by unsolicited and undesired (i.e. “spam”) email. Email providers may offer this capability.

Use encryption for sensitive business information. Encryption is a process of making your electronically stored information unreadable to anyone not having the correct password or key.

  • Use full-disk encryption—, which encrypts all information on the storage media – on all of your computers, tablets, and smart phones.

Dispose of old computers and media safely. Small businesses may sell, throw away, or donate old computers and media. When disposing of old business computers;

  • Electronically wipe the hard drive(s); there are applications that can do this.
  • If you can’t wipe the hard drive for any reason, consider degaussing the hard drive.
  • After wiping the hard drive(s), remove them and have them physically destroyed.

When hired and then annually, train employees on the following:

  • What is permissible use of business computers and mobile devices? (Personal Email)
  • How they are expected to treat customer or business information, (can they take it home)?
  • What to do in case of an emergency or security incident

Detect

  • Install and update anti-virus, -spyware, and other –malware programs
    • Malware (short for Malicious Software or Malicious Code) is computer code written to steal or harm. (viruses, spyware, and ransomware)
    • If your employees do any work from home on personal devices, obtain copies of your business anti-malware software for those systems or require your employees to use anti-virus and anti-spyware software.
  • Maintain and monitor logs
  • Protection / detection hardware or software (e.g. firewalls, anti-virus) often can keep a log of activity. Ensure this function is turned on. Logs should be backed up and saved for at least a year; could be longer depending on sensitivity.

You may want to consider having a cybersecurity, professional review the logs for any unusual or unwanted trends, such as a large use of social media websites or an unusual number of viruses consistently found on a particular computer. These trends may indicate a more serious problem or signal the need for stronger protections in a particular area.

Respond

The Respond Function supports the ability to contain or reduce the impact of an event.

Develop a plan for what immediate actions you will take in case of a fire, medical emergency, burglary, or natural disaster. The plan should include the following:

  • Roles and Responsibilities. This includes who makes the decision to initiate recovery procedures and who will be the contact with appropriate law enforcement personnel.
  • What to do with your information and information systems in case of an incident. This includes shutting down or locking computers, moving to a backup site, physically removing important documents, etc.
  • Whom to call in case of an incident. This should include how and when to contact senior executives, emergency personnel, cybersecurity professionals, legal professionals, service providers, or insurance providers. Be sure to include relevant contact information in the plan.

Recover

Make full backups of important business data/information.  Conduct a full, encrypted backup of the data on each computer and mobile device used in your business at least once a month, shortly after a complete virus scan.

  • Test your backups
  • Store these backups away from your office location in a protected place.
  • Save a copy of your encryption password or key in a protected place.
  • Conduct an automatic incremental or differential backup of each of your business computers and mobile devices at least once a week.  These backups should be stored on:
    • removable media (e.g. external hard drive)
    • separate server that is isolated from the network, or online storage.
  • In general, the storage device should have enough capacity to hold data for 52 weekly backups, so its size should be about 52 times the amount of data that you have

Consider cyber insurance, cyber insurance is similar to other types of insurance (e.g. flood, fire) that you may have for your business. Cyber insurance may help you respond to and recover from a security incident.

This article is based on information contained in the Small Business Information Security Fundamentals publication from the National Institute of Standards and Technology.

NISTIR 7621 Rev1.  This is a small part of the information that can be utilized in that publication.  It also contains methods to help your employees work safely and securely both at home and the office.  Information security is of paramount importance today.  Those of us in the NCMS, ISAC and other security organizations have a duty to lend the knowledge we use every day on our more secure systems to help our companies identify and protect their intellectual property and their people. The NIST Cybersecurity Framework and this publication can help get them to that point.

Below are the two main references used for this article, they can be obtained from www.nist.gov

  1. National Institute of Standards and Technology Interagency Report 7621, Small Business Information Security: The Fundamentals, Revision 1, (November 2016)
  2. National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity [Cybersecurity Framework], Version 1.0, February 12, 2014.

Gene Erbacher, CISSP
Cybersecurity/ISSM

Wright State Research Institute
4035 Col Glenn Hwy
Beavercreek, OH 45431

(937) 705-1059
eugene.erbacher@wright.edu