By Matt Blaine, Davison, Eastman & Muñoz, P.A.
If you have been paying attention to this summer’s headlines, then you know that reports about data breaches are now nearly as common as daily horoscopes and baseball box scores.
From the massive data breach of the U.S. Office of Personnel Management that will affect the lives of more than 25 million people, to the 37 million adulterous individuals whose private information was compromised on Ashley Madison, to a fraudulent email scheme that swindled Omaha Scoular Co. out of $17.2 million, to the recent white-hat-Jeep hack that was reported in Wired magazine, one thing is clear – cybersecurity and data breach concerns are here to stay and businesses need to be on guard.
Small business owners, are you prepared for an online security issue?
As with many complicated questions, when the answer escapes you, start identifying what you know you should not do. For instance, you know you cannot ignore this problem. You know that hiding your head in the sand is a sure recipe for disaster. And for those of you out there who think there is no way your small business could possibly be a cybersecurity target, you are sorely mistaken. You cannot forget that you are a gateway to more high profile information targets: your customers.
The very real threat this hacking trend poses to New Jersey small businesses is demonstrated by the 2015 hacks of many small companies, including: Slack, Direct Marketing Association, Nite Ize, Kraft Music LTD, Perspectives.org, Bulk Reef Supply, Greers Professional Fabricare Services, Dutch Bros. Coffee, and c3controls.
Nite Ize, a flashlight manufacturer, faced a hack of their consumer-facing website which was hosted by a third-party vendor. More than 300 credit card numbers were stolen along with customer information. The organization worked to repair the breached system and contacted the customers affected. A similar hack hit Greers Professional Fabricare, a dry cleaning and laundry service, who informed its customers that their credit card information had been stolen due to a server breach.
But it’s not only credit card information that is at risk during a hack. Slack, the popular group chat tool, was the victim of a database hack, compromising users profile data, including login information. The scope of the hack was even larger, since profile information of users included outside website logins and passwords. No financial information was compromised and there was no evidence that hackers were able to decode the encrypted password information, but the violation of personal information could have been devastating.
All of these small businesses were caught off guard and paid the price. No company, no matter how big or small, is immune to these types of hacks, and you have a duty to protect yourself and your customers.
When considering this type of large and small-scale activity, it is no wonder that FBI Director James Comey recently clarified that "there are two kinds of companies in the United States. There are those who've been hacked . . . and those who don't know they've been hacked."
If this kind of cyber-threat can bring well-funded government institutions and even Fortune 500 companies to their knees, what can your small business do about it? Obviously, unplugging from the Internet is not a viable option; it runs counter to customer expectations and the dramatically increased business and personal efficiencies that the Internet provides.
First thing’s first – you need a plan. Benjamin Franklin warned, “if you fail to plan, you are planning to fail.” And in the words of Yogi Berra, “If you don’t know where you’re going, you’ll end up somewhere else.”
In developing your plan, focus on both cyber intrusion prevention methods and cyber breach mitigation and recovery efforts; assume a cyberattack is inevitable, as opposed to a mere possibility. There are also publications and vendors out there to help. A good starting point for researching prevention methods is a study issued by the National Institute for Standards and Technology (NIST) in 2014, entitled “The Cybersecurity Framework.” For mitigation and recovery efforts, see the United States Department of Justice: Best Practices for Victim Responses and Reporting of Cybersecurity Incidents, V. 1 (April 2015).
In developing a prevention, mitigation, and recovery plan, best practices generally require you investigate and implement the following:
1.An efficient and effective team of internal IT champions and outside vendors.
2.Defense-in-depth strategies that emphasize multiple, overlapping and mutually supportive defense systems. This includes the deployment and regular updating of firewalls and gateway antivirus, intrusion detection or protection systems, website vulnerability with malware protection and web security gateway solutions throughout the network.
3.Understand that antivirus and malware protection on endpoints is not enough and comprehensive endpoint security products with additional layers of protection must be deployed and used.
4.Secure websites against attacks and malware infection.
5.Protect your private keys, encrypt sensitive data, and implement a secure information transmission platform.
6.Monitor for network intrusion attempts and vulnerabilities.
7.Ensure all devices on company networks, especially mobile ones, have adequate security protections, and that the company has a workable minimum security profile for all bring-your-own devices (BYODs).
8.Implement a removable media policy that restricts the use of authorized and unauthorized devices like thumb drives and external hard drives that can introduce malware and facilitate data breaches, both intentionally and unintentionally.
9.Aggressively update, patch and discontinue outdated and insecure browsers, applications and browser plug-ins while keeping virus and intrusion prevention definitions updated. Also, automate your patch deployment processes.
10.Implement and enforce a strong and effective password policy.
11.Restrict and monitor email and email attachments.
12.Limit access to your shared network by using a multi-layered authentication system and restrict users’ ability to download software.
13.Educate users on basic security protocols, including email and social media.
14.Develop and implement post-infection detection capabilities to identify infected systems.
15.Make sure regular data backups are secure and available.
16.Develop and implement effective incident response procedures and disaster recovery plans: What will you do? Who will do it? Who will you contact? How will they be contacted? Who will contact them? How will you respond to the media? What else needs to be done? And who will do it?
17.Investigate and purchase appropriate cyber security and liability insurance policies.
The above framework may seem like a lot, but in order to thrive in the modern world, it is imperative to understand these issues, develop a plan, and start to intelligently and cooperatively implement these best practices.
The question remains: How can you possibly get this all done?
You have to change your mindset, and you have to change the culture. It all starts with people.
The most critical aspect of IT security is the way in which your people interact with your IT system. This requires a firm understanding of these IT interaction points, as well as planning and implementing the best and most pragmatic ways in which we can set up processes – both automated and manual – that will help us from inadvertently (or even intentionally) creating a data breach scenario.
 The NIST Cybersecurity Framework is available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
 The USDOJ’s Best Practices for Victim Responses and Cybersecurity Incidents is available at http://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/criminal_division_guidance_on_best_practices_for_victim_response_and_reporting_cyber_incidents2.pdf
Matt Blaine is an associate at Davison, Eastman & Muñoz, P.A., in the Business Law and Litigation Department. He is also the Chair of the Davison, Eastman & Muñoz Technology, and Innovation Committee, where he spearheads the firm’s technological advancements.