12 Simple Cybersecurity Rules For Your Small Business

378 views

Published on

James Cannady, Ph.D., Professor at Nova Southeastern University's Graduate School of Computer and Information Sciences will present on "12 Simple Cybersecurity Rules For Your Small Business."

In this online presentation twelve simple and inexpensive techniques for protecting small businesses from cyber threats will be discussed. While complex and expensive solutions exist to improve the security of information technology most of these products are not designed for the specific needs of small businesses. The techniques that will be discussed in the presentation are designed to address the most common threats encountered by small businesses without requiring significant expertise and expense.

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

12 Simple Cybersecurity Rules For Your Small Business

  1. 1. 12  Simple  Cybersecurity  Rules  for   Your  Small  Business   James  Cannady,  Ph.D.  
  2. 2. Purpose  of  this  presenta@on   •  Small  businesses  form  the  founda@on  of  our   economy.    Their  need  for  informa@on  security  is   as  great  as  a  mul@-­‐na@onal  business,  but  they   usually  do  not  have  the  resources  to  dedicate  to   protec@ng  their  systems.   •  Security  does  not  have  to  be  as  complicated  (or   expensive)  as  it  may  seem   •  The  following  rules  are  designed  to  serve  as   guidelines  for  small  businesses  as  they  consider   op@ons  for  securing  their  computer  resources.  
  3. 3. Rule  #1:  Focus  on  the  Business  
  4. 4. Concentrate  on  the  Business     •  Security  is  a  support  func@on  for  the  business.     It  is  not  “the”  business.   •  Choose  security     technologies  and   techniques  that  support   and  enable  the  business   •  Avoid  changing  the  business   to  accommodate  security   products  (there  are  lot’s  of   op@ons)   2
  5. 5. Concentrate  on  the  Business   Secure   Opera@ons       Security  Technologies             Security  Services           Security  Policy       Business  Requirements  
  6. 6. Rule  #2:  Decide  How  Much                           Security  You  Really  Need  
  7. 7. What  do  you  need?   •  There  are  a  variety  of  available  security   technologies   •  Price/availability/interoperability  must  all  be   considered   •  Some@mes  doing  nothing  is  OK   •  Defense  in  Depth  as  a  strategy  for  a  secure   infrastructure  
  8. 8. What  do  you  need?   •  Security  is  cumula@ve   •  No  single  solu@on   •  “We  have  a  firewall!!!”   •  Examine  cost/benefit  of   each  approach  vs.  cost  of   security  incidents   •  Focus  first  on  biggest   vulnerabili@es   •  Get  what  you  need,  but  no  more.   3
  9. 9. Rule  #3:  Preven@on  Is  Easier  Than  The   Cure  
  10. 10. Security  is  more  than  technology   •  Employee  awareness  of  need  for  security   –  Formal  training  vs  teaching  moments   •  Opera@ons  Security   –  The  whole  point  of  opera@ons  security  is  to  have  a  set  of   opera@onal  (daily,  habit  ingrained)  prac@ces  that  make  it   harder  for  another  group  to  compile  cri@cal  informa@on.      
  11. 11. Rule  #4:  Understand  Your  Security  
  12. 12. It’s  Your  Security   •  Not  everything  can  be  done  in-­‐house   –  You  will  have  to  buy  at  least  some  commercial  products   –  You  may  need  to  bring  in  outside  consultants   •  Make  sure  that  all  security  components  are  well   documented     –  Configura@on,  installa@on,  etc.   –  Changes  will  need  to  be  made  eventually   •  Be  careful  with  faculty  defaults   –  Easier  for  remote  tech  services,  but  poten@al   vulnerabili@es  
  13. 13. Rule  #5:  Start  With  The  Security        That  You  Already  Have  
  14. 14. Use  The  Security  Sodware  That  You   Already  Own   •  OS  built-­‐in  security   –  Firewall   –  Built-­‐in  file  encryp@on     •  Not  the  strongest,  but…   •  Browser  Security   –  No  pop-­‐ups   –  Limit  access  to  certain  websites   –  Lock  segngs  to  avoid  changes   that  may  compromise  security   5
  15. 15. Rule  #6:  Back-­‐up  Your  Important  Data  
  16. 16. Data  Back-­‐ups   •  Simple  vs.  Complex   •  Cheap  vs.  Expensive   •  Timeconsuming  vs.   Scheduled   •  Manual  vs.  Automated   •  Op@ons   •  CD-­‐Roms/Thumb  drives   •  Carbonite   •  How  Oden?  
  17. 17. Rule  #7:  Use  An@viral  Programs  
  18. 18. An@virus   •  Rela@ve  cheap   •  User  friendly   •  Scan  every  download   •  Also  consider  spyware/ adware  protec@on   •  Keep  it  up-­‐to-­‐date   6
  19. 19. Rule  #8:  Limit  Access  To  Your        Sensi@ve  Data  
  20. 20. Access  Control   •  System  administra@on  is  a  one  person  job   –  Only  one  person  needs  to  be  able  to  have  full   control  over  the  system  (backup  sysadmin  ok,  but   no  more)   •  The  crown  jewels  of  the  business  need  to  be   limited  to  specific  personnel   –  How?   •  Password-­‐protected  files   •  Separate  computers  for  sensi@ve  data   4
  21. 21. Rule  #9:  Secure  Your  Wi-­‐Fi  
  22. 22. Secure  Your  Wi-­‐Fi   •  Almost  every  business  has  one.   •  They  are  easy  to  find  and  easy  to  exploit,   especially  if  simple  secure  measures  are  not   used   •  Current  encryp@on  standards  for  WIFI  are  not   par@cularly  strong,  but  it  is  usually  enough  to   dissuade  the  bad  guys,  especially  since  there   are  almost  certainly  unsecured  WiFi’s  nearby   1
  23. 23. Rule  #10:  Create  a  Security  Policy  
  24. 24. Security  Policies   —  Start  with  a  wrinen  Security  Policy.   —  You  must  have  a  plan   —  Know  your  assets  and  know  your  risks   —  Cover  the  basics  first.   —  Then  apply  technology  to  support  your  policy  and   solve  specific  problems.   —  —  —  —  Authen@ca@on   Confiden@ality  and  Integrity   Perimeter  defense   Intrusion  Detec@on  and  Audit   8
  25. 25. Rule  #11:  Don’t  Forget  to  Lock  the   Door  
  26. 26. Physical  Security   •  Physical  security  is  as  important  as  any  other   form  of  informa@on  security   •  Computers  should  not  be  accessible  by   unauthorized  users     Servers  should  be  guarded   •  with  sufficient  care  to   protect  the  data  they   contain.   •  Challenge  strangers     8
  27. 27. Rule  #12:  Security  is  Not  Magic  
  28. 28. There  is  no  panacea   Security  is  the  process  of  enabling  the   protected  informa@on  system  to  do  what   it  was  designed  to  do.    Nothing  more,   nothing  less.   You  will  not  have  perfect  security,  no  maner   how  much  money  you  are  able  to  spend   …but  it  doesn’t  have  to  be  perfect.     7
  29. 29. Take  Home  Points   •  Security  is  not  the  business,  it  supports  the  business   •  Decide  what  you  need,  don’t  rely  on  a  vendor  to  tell   you  what  you  need   •  There  are  a  variety  of  inexpensive  (or  free)  approaches   to  security  that  provide  excellent  protec@on   •  Physical  security  is  at  least  as  important  as  any  other   form  of  protec@on   •  Don’t  strive  for  perfect  security.    You  only  need  to   secure  enough  that  its  not  worth  the  effort  required  of   the  bad  guys    
  30. 30. James  Cannady,  Ph.D.     Graduate  School  of  Computer  and  Informa@on   Sciences   Nova  Southeastern  University   cannady@nova.edu  
  31. 31. Photo  Acknowledgements   1.  2.  3.  4.  5.  6.  7.  8.  hnp://www.pcworld.com/ar@cle/2052158/5-­‐wi-­‐fi-­‐security-­‐myths-­‐you-­‐must-­‐abandon-­‐ now.html   hnp://www.lbcc.edu/business/   hnp://www.walt.com/case-­‐studies/ssh/   hnps://wiki.duke.edu/display/oitwebstyle/Informa@on+Display+-­‐+Slide+Examples   hnp://blogs.sans.org/securingthehuman/files/2012/04/S@cker.png   hnp://www.cer@fiednerds.com/run-­‐regular-­‐an@-­‐virus-­‐updates-­‐and-­‐scans/   hnp://www.thisisvisceral.com/2013/08/development-­‐@ps-­‐tricks-­‐summer-­‐2013/   hnp://lave@.wordpress.com/2012/12/09/developing-­‐informa@on-­‐security-­‐policy/  

×