Cybersecurity Tips For Small Business Operators

From Target and Home Depot, to Apple's iCloud, Sony, and Anthem, it seems there's a new security breach announced every other week. Polls indicate that 50 percent of small- to medium-sized businesses believe they are immune to targeted cyber-attacks because criminals are more focused on large corporations. The reality is these companies are easy targets because they don't invest in new tools to defend against today's new breed of cyber attacks.  All companies, regardless of their size, are at risk.

Older, traditional security solutions are based on technologies that rely on knowing something about the attack, such as the vulnerability targeted, the malware used, or the reputation of the email sender. These tools may block basic known malware, but they are incapable of identifying today's dynamic, multi-vector, multi-stage attacks.

Cyber attacks on major US companies and financial institutions aren't likely to slow down this year which means consumers will continue to find themselves targets. Once a person's identity is stolen, it can create problems for years or decades down the road. Additionally, some financial institutions won't always cover stolen funds resulting from a hacked computer. This is particularly true for people who own small businesses.

According to a recent USA Today article, nearly 519 million records were stolen in the past 12 months. About 35 percent of the thefts were from website breaches and 14 percent occurred at the point of sale when someone bought something at a retail store.

"About 110 million Americans -- equivalent to about 50 percent of U.S. adults -- have had their personal data exposed in some form in the past year," says Tim Pawlenty, president of the Financial Services Roundtable, and former governor of Minnesota.

80 percent of hacking victims in the business community didn't even realize they'd been hacked until they were told by government investigators, vendors, or customers, according to a recent study by Verizon.

I think we can all agree that these statistics are alarming. What can a small or medium-sized business do to be more secure in 2015?

Password Management

Did you know 20 to 30 percent of all IT service desk volume can be traced back to password problems? That means each person in an IT department is spending 1-1/2 to 2 hours a day resetting passwords and helping employees get back into their locked accounts.

Did you know that 76 percent of breaches on corporate networks are due to a weak employee password?

One of the biggest threats that companies face is the poor management of passwords and sensitive files.  We are in a new age of cyber-terrorism where hackers seek to not only gain financial benefit, but more dangerously, seek to destroy a company's reputation, brand, and employee trust in their employers.

Every employer has a fiduciary responsibility to protect and safeguard their employees' private information.  It is essential for executives and employees of a company to have a strong password policy in place - utilizing a password manager to create strong and randomized passwords on all of their personal and business sites. The compromise of credentials, either through a data-breach or negligence, greatly increases the risk of fraud.

All companies should conduct a thorough review of their internal control policies and the systems they have in place for securing employee data. A zero-knowledge security platform?should be implemented across all employee devices, which prevent hackers from gaining access to confidential information.

Companies should also keep their sensitive information (passwords, etc.) encrypted.  Any file with sensitive information should have been stored in an encrypted vault.

If executives and employees of Sony had a strong password policy - and if they used a password manager to create strong and randomized passwords on all of their personal and business sites, it's possible that access to their computer networks could have been prevented - or made very difficult.

Zero-Knowledge Architecture

One core component that multi-location franchisees should utilize and understand is the concept of zero-knowledge security.  Zero-knowledge security means that the private encryption key resides with the user and encryption occurs at the device level (your phone, tablet, computer, etc.).  This means that nobody except the user is able to decrypt and access their data.

For multi-location enterprises that utilize traditional cloud storage technologies, they should understand that many of these technologies do not practice zero-knowledge security.  This creates inherent risks for a user since the provider can often access the user's encryption key and theoretically, decrypt and view information being stored in the cloud.  This further creates risk for the provider since a hacker, in the event of a breach, could potentially gain access to both the encryption key and binary file - which would allow the hacker to decrypt and view the data.

For zero-knowledge security platforms, the software provider does not have access to or knowledge of the user's master password or the encryption key and thus, is not able to access those files, locally on a user's device and in the cloud.

Two-Factor Authentication

The use of Two-Factor authentication in addition to the use of strong passwords could have made it extremely difficult for the Sony hackers to access the services. Two-factor authentication (2FA) is a strong method to prevent unauthorized access from hackers.  Implementing 2FA ensures that a user can confirm access through two methods, typically something the user knows (e.g. a password) and something in their possession (a smartphone).

Anti-Fraud Services

In the past, anti-fraud services were primarily the concern of the financial industry. However, in today's business world, any enterprise that conducts transactions over a network can be targeted by fraud. There are a growing number of anti-fraud services available to businesses, but not all services have equal capabilities or effectiveness. When evaluating an anti-fraud service, it is important to find a service that relies on the latest technology to detect fraud, and the ability to react quickly to mitigate threats.

Anti-fraud services should monitor a variety of intelligence sources (such as spam lists, password lists, attack signatures, malware/anti-virus intelligence feeds, ISP reports) to detect and prevent fraud before customers have an opportunity to be victimized. A good anti-fraud service should be both preventative and reactive.

The cost of anti-fraud services can start at less than a few hundred dollars per month and range into thousands of dollars per month, depending on the vendor and level of services. Fraud does not just have an immediate fiscal impact on the victims, but can also damage the reputation and brand (Target, Home-Depot anyone?). When considering the cost, businesses should also consider the value of anti-fraud services in protecting a brand.

Data-Protection Strategy

The best way for an organization to protect itself from a data breach is to guarantee that a data-protection strategy is in place to ensure that all sensitive data is encrypted, proper controls are in place to permit access to that data, and that the policy is consistently tested and audited for effectiveness in preventing data loss from both external and internal threats. Centralized management of enterprise-wide access, threat-detection systems, external and internal security auditing systems, and the ability to securely share sensitive information and credentials are all key components of an effective data-protection strategy for any enterprise.

About the Author

Darren Guccione is the CEO and co-founder of Keeper Security, Inc. Keeper is the world's most downloaded password security application, is certified SOC 2 compliant and utilizes world-class encryption to safeguard its users. Keeper and Keeper for Groups, an international business solution for storing, accessing and safeguarding passwords and personal information, is available on all major Smartphones, Tablets and Computers - covering iPhone, iPad, Android, Mac, PC, BlackBerry, Kindle, and Windows Phone.