Cyber-security breaches can bring a small business to its knees. In today’s guest post, Alan Wlasuk tells you how to protect against a security breach—and how to respond if the worst happens.
Whether your company is big or small, whether you handle “protected” data or not, whether you have a few customers or millions, your next data breach could be a company-crippling event. Now—before a breach happens—is the time to put digital security protections and plans in place.
I’ve compiled two lists of what you should consider before your next data breach as well as how to handle the turmoil after the breach. If you are clever and proactive, your efforts will certainly eliminate threats from inept script kiddies as well as hackers just looking for an easy mark.
Before the Breach
- Your network (physical) security should be solid and in place. This includes firewalls, virus protection, current patches on system-level software and physically secured servers. Network security is well understood, relatively simple to implement, and often inexpensive. If your IT team is not up to this task, bring in an outside Infrastructure company to take a look.
- Turn on your system logs. System logs tell the story of access and usage of your IT system. If you have the staffing resources, logs will also allow your IT staff to continually look for one-time and persistent security attack attempts – perhaps with the chance to prevent a breach before it happens. Even if you are short on resources and cannot continually monitor your logs, they will let you understand how the breaches occurred and determine what data was stolen.
- Encrypt all sensitive data as widely and as securely as possible. Data encryption is a one-time development effort, relatively inexpensive and worth its weight in PR gold should you have a data breach. Those magic words, “The data was encrypted – no sensitive data was compromised,” will make even the most embarrassing breach bearable.
- Perform a vulnerability scan on all externally facing websites. Review all of your externally facing website scans and secure your sites against web application attacks. This is almost always a job for an outside firm with web app security skills.
- Install virus and malware prevention throughout your organization. Malware has become a major security problem for home as well as business computers. A single malware-infected computer in your office can be the gateway through which hackers gain access.
- Educate your staff. The weakest security link is often your staff. A skilled social engineer will run rings around a trusting, naïve staff member. It’s a mean world out there, fueled by a cybercrime community that often finds it easier to sweet-talk your staff out of the company logins than it does to hack your secured IT environment.
- Review your cyber-insurance. When I speak to my associates on the risk management insurance side of the world, they tell me cyber risk insurance is one of the least understood and least used protection means at our disposal. As I said in my opening paragraph, your IT environment will be breached one of these days, regardless of what digital security efforts you make. If your financial liability is potentially large enough to break the company, I would suggest you cover your bets with cyber-insurance.
- Understand your security-related financial and legal responsibilities. In the case of a security breach, commercial regulations and state and federal data protection laws dictate how much information you must disclose, the audience in which it must be disclosed to, and the impending financial penalties. There’s a good chance that understanding the regulated down side of a breach will provide a good stimulus for looking into more robust security systems.
- Review your third-party relationships. Companies get caught in this trap all the time – they secure their IT world but some vendor or facilities provider opens up a huge security hole. The big guys (companies with enough clout to pull it off) put their vendors and providers through rigorous security audits before doing business with them. Even if you don’t have that clout, pick your third-party relationships with care.
- Review how you handle and monitor remote data equipment. Laptops, tablets and smartphones are prime targets for theft and carelessness (easily left in a bar or the front seat of a car). Every company needs to take the position that any device that leaves the office may fall into the wrong hands. A password on a mobile device is a minor hurdle to a hacker – there need to be many more hurdles. Consider encryption at a minimum and work upward from there.
After the Breach
If a security breach does occur, you and your staff need to be ready to react quickly and decisively. My suggestion for the days, weeks and months following the breach are as follows:
- Don’t panic. Carefully consider the nature of the breach, what data (if any) has been compromised and what your next steps should be. A premature release of breach information may cause unnecessary customer panic or, even worse, make you look even more inept when you revise the information you did send out. Take the time to respond with dignity.
- Review your system logs to determine how the breach occurred and what information was compromised. A good set of system logs will usually tell the complete story of your breach (you did turn your logs on, didn’t you?). I would suggest bringing in security experts to review your logs and find out exactly what happened and determine what data was compromised – this is usually pretty complicated stuff.
- Repair your systems. You would be surprised at the number of businesses that take an incredibly long time to repair known vulnerabilities or never do so at all. Also, while repairing the system that was breached, take a look at your entire IT world for similar problems – after all, it is probably the same IT staff that handles your entire IT environment.
- If required, inform the appropriate financial and legal entities as soon as possible. Depending on your industry, there may be strict requirements for reporting security breaches. Your problem will only get worse if you get caught hiding information. Keep in mind that many security breaches become public knowledge as the compromised data is used or sold within the cyber underground – not as a result of company disclosure.
- Inform your users or clients and customers as soon as appropriate. There is a line between keeping your company viable and an ethical responsibility to your clients and customers. Consider the damage that might be done to your clients and customers and think about how you would expect to be treated.
- Call your insurance company. Depending of the nature of the breach, you may be covered for some, if not all, of the expenses associated with your recovery. Rather than assume you are on your own financially, give your insurance company a call. You might also take the time to talk about cyber-insurance with your agent – for the next time.
Alan Wlasuk is CEO of 403 Web Security (www.403.wddinc.com), a company that helps small and midsized businesses identify and repair website vulnerabilities. Alan is a Bell Labs Fellow award-winner with more than 18 years of experience building secure Web applications.