All companies should develop and maintain clear and robust policies for safeguarding critical business data and sensitive information, protecting their reputation and discouraging inappropriate behavior by employees. Part One
Cyber Plan Action Items:
1. Establish security roles and responsibilities
One of the most effective and least expensive means of preventing serious cyber security incidents is to establish a policy that clearly defines the separation of roles and responsibilities with regard to systems and the information they contain. Many systems are designed to provide for strong Role-Based Access Control (RBAC), but this tool is of little use without well-defined procedures and policies to govern the assignment of roles and their associated constraints. Such policies need to clearly state, at a minimum:
• Clearly identify company data ownership and employee roles for security oversight and their inherit privileges, including:
• Necessary roles, and the privileges and constraints accorded to those roles.
• The types of employees who should be allowed to assume the various roles.
• How long an employee may hold a role before access rights must be reviewed.
• If employees may hold multiple roles, the circumstances defining when to adopt one role over another.
Depending on the types of data regularly handled by your business, it may also make sense to create separate policies governing who is responsible for certain types of data. For example, a business that handles large volumes of personally identifiable information (PII) from its customers may benefit from identifying a chief steward for customers’ privacy information. The steward could serve not only as a subject matter expert on all matters of privacy, but also to serve as the champion for process and technical improvements to PII handling.
1. Establish an employee Internet usage policy
The limits on employee Internet usage in the workplace vary widely from business to business. Your guidelines should allow employees the maximum degree of freedom they require to be productive (short breaks to surf the web or perform personal tasks online have been shown to increase productivity). At the same time, rules of behavior are necessary to ensure that all employees are aware of boundaries, both to keep them safe and to keep your company successful. Some to consider:
• Personal breaks to surf the web should be limited to a reasonable amount of time and to certain types of activities.
• If you use a web filtering system, employees should have clear knowledge of how and why their web activities
will be monitored, and what types of sites are deemed unacceptable by your policy.
• Workplace rules of behavior should be clear, concise and easy to follow. Employees should feel comfortable performing both personal and professional tasks online without making judgment calls as to what may or may not be deemed appropriate. Businesses may want to include a splash warning upon network sign-on that advises the employees of the businesses’ Internet usage policies so that all employees are on notice.
1. Establish a social media policy
Social networking applications present a number of risks that are difficult to address using technical or procedural solutions. A strong social media policy is crucial for any business that seeks to use social networking to promote its activities and communicate with its customers. At a minimum, a social media policy should clearly include the following:
• Specific guidance on when to disclose company activities using social media, and what kinds of details can be discussed in a public forum.
• Additional rules of behavior for employees using personal social networking accounts to make clear what kinds
of discussion topics or posts could cause risk for the company.
• Guidance on the acceptability of using a company email address to register for, or get notices from, social media sites.
• Guidance on selecting long and strong passwords for social networking accounts, since very few social media sites enforce strong authentication policies for users.
Lastly, all users of social media need to be aware of the risks associated with social networking tools and the types of data that can be automatically disclosed online when using social media. Taking the time to educate your employees on the potential pitfalls of social media use, especially in tandem with geo-location services, may be the most beneficial social networking security practice of all.
1. Identify potential reputation risks
All organizations should take the time to identify potential risks to their reputation and develop a strategy to mitigate those risks via policies or other measures as available. Specific types of reputation risks include:
• Being impersonated online by a criminal organization (e.g., an illegitimate website spoofing your business name and copying your site design, then attempting to defraud potential customers via phishing scams or other method).
• Having sensitive company or customer information leaked to the public via the web.
• Having sensitive or inappropriate employee actions made public via the web or social media sites.
All businesses should set a policy for managing these types of risks and plans to address such incidents if and when they occur. Such a policy should cover a regular process for identifying potential risks to the company’s reputation in cyberspace, practical measures to prevent those risks from materializing and reference plans to respond and recover from potential incidents as soon as they occur.
New telecommunication technologies may offer countless opportunities for small businesses, but they also offer cyber criminals many new ways to victimize your business, scam your customers and hurt your reputation.
Businesses of all sizes should be aware of the most common scams perpetrated online.
Cyber Plan Action Items:
1. Train employees to recognize social engineering
Social engineering, also known as “pretexting,” is used by many criminals, both online and off, to trick unsuspecting people into giving away their personal information and/or installing malicious software onto their computers, devices or networks. Social engineering is successful because the bad guys are doing their best to make their work look and sound legitimate, sometimes even helpful, which makes it easier to deceive users.
Most offline social engineering occurs over the telephone, but it frequently occurs online, as well. Information gathered from social networks or posted on websites can be enough to create a convincing ruse to trick your employees. For example, LinkedIn profiles, Facebook posts and Twitter messages can allow a criminal to assemble detailed dossiers on employees. Teaching people the risks involved in sharing personal or business details on the Internet can help you partner with your staff to prevent both personal and organizational losses.
Many criminals use social engineering tactics to get individuals to voluntarily install malicious computer software such as fake antivirus, thinking they are doing something that will help make them more secure. Users who are tricked into loading malicious programs on their computers may be providing remote control capabilities to an attacker, unwittingly installing software that can steal financial information or simply try to sell them fake security software.
1. Protect against online fraud
Online fraud takes on many guises that can impact everyone, including small businesses and their employees. It is helpful to maintain consistent and predictable online messaging when communicating with your customers to prevent others from impersonating your company.
Be sure to never request personal information or account details through email, social networking or other online messages. Let your customers know you will never request this kind of information through such channels and instruct them to contact you directly should they have any concerns.
1. Protect against phishing
Phishing is the technique used by online criminals to trick people into thinking they are dealing with a trusted website or other entity. Small businesses face this threat from two directions — phishers may be impersonating them to take advantage of unsuspecting customers, and phishers may be trying to steal their employees’ online credentials.
Businesses should ensure that their online communications never ask their customers to submit sensitive information via email. Make a clear statement in your communications reinforcing that you will never ask for personal information via email so that if someone targets your customers, they may realize the request is a scam.
Employee awareness is your best defense against your users being tricked into handing over their usernames and passwords to cyber criminals. Explain to everyone that they should never respond to incoming messages requesting private information. Also, to avoid being led to a fake site, they should know to never click on a link sent by email from an untrustworthy source. Employees needing to access a website link sent from a questionable source should open an Internet browser window and manually type in the site’s web address to make sure the emailed link is not maliciously redirecting to a dangerous site.