"There are two kinds of big companies in the United States. There are those who've been hacked and those who don't know they've been hacked." FBI Director James Comey
Cyber security can feel overwhelming, and the items this slide deck covers will inform you on how to better prepare your business.
1) Why would a hacker target your business
2) What data should you protect
3) Avoiding security negligence
4) What can you do to protect your company
2. “There are two kinds of big companies in the
United States. There are those who’ve been
hacked…and those who don’t know they’ve
been hacked.” - FBI Director James Comey
3. The dam has broken for small companies when it comes to security.
Jeremy Grant, an adviser at the Department of Commerce’s National
Institute of Standards and Technology, says in the past two years he has
seen "a relatively sharp increase in hackers and adversaries targeting
small businesses."
According to the security company Symantec, cyberattacks on small
businesses rose 300 percent in 2012 from the previous year.
INK MAGAZINE JANUARY 2014
10. Items to cover today
1. Why would a hacker target your business?
2. What Data should you protect?
3. Avoiding Security Negligence
4. What can I do to protect my company?
11. What do Hackers attack?
Cause Disruption
Personal Information
Banking
information
Access
Gateway to
bigger fish
Ransom
Intellectual
Property
13. Ransom
Typically comes through email
Encrypts drives, even network drives
Demands a ransom to unencrypt your data
- typically have just a few days
- typically hundreds of dollars
Sometimes will give you a “sample” to prove they have
integrity
CryptoLocker, TorrentLocker,
CryptoFortress …
14. To Cause
Disruption
Questions to consider
1. If you no longer had access to your company data how long
would you be able to function as a business?
2. How long until it becomes really painful?
3. How many past employees would cause you harm if given
the chance?
15. What data should I secure?
Any data that if no longer available would disrupt your business
Any personal information
Data with liability under compliance laws (PCI, HIPAA …)
Intellectual property
18. Indiana Law
The Office of the Indiana Attorney General is committed to
enforcing the Disclosure of Security Breach law to better
protect Hoosiers from identity theft. This law requires Indiana
businesses inform their customers about security breaches
that have placed their personal information in jeopardy. The
Office can seek up to $150,000 for data breaches that have
not been properly disclosed to Indiana customers.
http://www.in.gov/attorneygeneral/2410.htm
What if I have a breach?
19. Avoid Security
Negligence
1. Protect your data to the best of your ability
2. Consider an outside evaluation
3. Review and update plans and policies frequently
4. Consider data breech insurance
Failure to use
reasonable care,
resulting in damage or
injury to another.
20. What can I do to
protect my
company?
Level 4 – Data
breach could
potentially harm
lives; security
breach simply must
not happen
Level 3 –
Personal/Identity,
compliance,
intellectual
property – i.e.
account
information, credit
card or social
security numbers,
HIPAA, PCI,
Sarbanes Oxley, etc.
Level 2 – Some
sensitive data but
not relative to
health, personal
info, or credit card
info
Level 1 – No
sensitive data
23. Access
1. All patches, especially security patches must be up to date
on your server.
2. Access Policy enforcement – setup employee access to only
those areas where they should have access and restrict the
rest.
3. Password Policy enforcement –server access should be set
to follow your policy. Note guideline in handouts.
4. Centralized Data – keep as much data in one central
location as possible for better control.
5. Business continuity plan – create a plan, test and review
regularly.
24. End Point
1. Good Anti-virus program
◦ Example: Eset
2. Anti–Malware program
◦ Example: Malware Bytes
3. Patching – all software especially the Operating system
should have all patches up to date.
4. Restrict ability to install software to Admin only
What I use to get to my data
25. Perimeter
Firewall
◦ Restricted or monitored Internet access
◦ Another layer of Anti- Malware and Anti-Virus at Gateway
Wireless Access points
◦ Public access separated from private access
Cable access
◦ Every cable goes somewhere
Create a barrier from outside
access
26. Policy and
Procedures
1. Use Policy
2. PC/Laptop Policy
3. BYOD (bring your own device) Policy
4. Password policyCreate and enforce
27. Policy and
Procedures
1. New user procedure
2. Terminated user procedure
◦ employee
◦ Leader
◦ IT employee or company
3. Hardware disposal procedure
4. Hardware refresh guideline
Create and follow
28. Summery
1. Access – Secure your data and limit access
2. End Point – Protect yourself from users
3. Perimeter – establish a barrier from the rest of the world
4. Policy and Procedures – this allows for the beginning of
education.
5. Review and update regularly