The number of cyber attacks against small businesses rapidly grew in 2015. This matters because research would suggest that sixty percent of small businesses struck by a cyber attack close within six months. As the World Economic Forum identified cyber crime as a global economic risk, we're expecting even worse numbers in 2016.

Hackers like small businesses because their digital assets are more lucrative than that of a normal consumer, and, the small business likely has less IT staff or IT safeguards than larger corporations. As this infographic would suggest, small business managers often under-estimate the value of their digital assets (believing that they don't have anything worth stealing), and they don't understand the risk of exposure due to their loss.

There are a number of Technical Controls that we can implement to help address the problem:

• Access Controls

• Vulnerability assessments

• System patching

• Encryption

• Data backups

• Mobile Device Management

• 2-Factor Authentication

Still, all of those Technical Controls are meaningless unless their actually used and deployed by a business. Small business owners have a couple of avenues of recourse:

1. Owner/managers must take an interest in managing the problem. That means learning more about the risks and the challenges facing the business, rather than ignoring the risk and hoping something bad doesn't happen to them.
   

2. Create formal policies and procedures regarding computer activities. Administrative Controls like policies, procedures, and work instructions clearly communicates management's intention to staff and stakeholders.
   

3. Train employees and staff on those policies and procedures. Educate everyone - every stakeholder - about your commitment to managing information in the best practice means available.
   

4. Update your software and hardware regularly. Observe when devices, personal computers, or software leaves mainstream OEM support and will no longer receive security updates. Replace obsolete equipment that places your firm at risk.
   

5. Prepare an incident response plan. Unless you have one - actually written down, something you communicate and practice against - you don't have one.

But you notice that it starts with the business owner. It starts with them because - without their commitment - none of these steps could possibly be approached.

If you run a small business, don't become a target by neglecting your responsibility to protect your digital assets. Don't expose yourself by taking no action; don't put yourself at risk because you're the lowest-hanging fruit in an orchard of choices for digital pharmers. 

Take ownership and responsibility for the problem.

R

Believe it or not, accessing private data after death has historically been an act of hacking. Yeah, imagine having to hack your loved one's accounts to get access to important stuff like checking and savings accounts, bill paying systems, accounting systems, or invoicing systems.

Essentially, survivors would need to impersonate the deceased, guess at passwords or have passwords rotated by a hack to access accounts, of have secure systems compromised to access data.

And legally, the heir or assign of an individual didn't have any rights to the data. That data was owned by the account holder (who is now dead) and there wasn't a legal transference of digital property rights.

However, effective June 2016 in the State of Washington, this has changed with the adoption of 11.120 RCW Uniform Fiduciary Access to to Digital Assets Act (UFADAA).

UFADAA establishes a standard process for a fiduciary to access the secured digital assets of the deceased found on their devices (computers and mobile devices) and their online accounts.

This special access is limited: it grants the fiduciary access to essentially collect the data and close the account; it doesn't allow for the account of the deceased account to survive forever. 

UFADAA also allows for data to be collected from the principal, accumulated by a designated custodian of the data, cataloged, and held in a trust. It also allows the principal to shield some kinds of data from their fiduciary.

Some companies are more progressive on these matters - like Facebook - allow you to identify legacy accounts: fiduciaries on Facebook that would presumably survive the deceased and could get access to the account to memorialize it. Most companies are far behind this curve of being able to identify others who could access their digital assets after death.

The court can assign data custodians and so can businesses and individuals. However, it's recommended that a will/Power of Attorney specifically declare UFADDA rights.

If you're concerned about this - and if you own a business, you'd want to be concerned about this - you'd want to speak to your attorney about including UFADDA rights into your succession planning.

Also, you'd want to check online services that offer legacy accounts (or some means of designating authorized survivors) and set those up.

And finally, you'd want to grant some degree of access to your password manager for the fiduciary following your demise. Most password manager services allow for a legacy account to be designated; otherwise, a master password, written on paper, stored in a sealed envelope, and safeguarded in a safe place, may also suffice (a broken seal may be a visual trigger to reset passwords).

Windows is not a secure nor a private operating system platform.

I couldn't recommend it to anyone concerned about the security of their computing platform, or, the confidentiality of their personal private information (PPI).

It cannot be hardened or made secure so long as it is connected to the public Internet.

If you use it, you are unwittingly transmitting PPI, location data, and system data to Microsoft, even if you attempt to harden the o/s through enabling its privacy settings.

• Out of the box, Windows 10 violates your privacy and transmits information to Microsoft.

• Curious about what Windows collects about you? Here's an analysis.

• Windows 10 transmits confidential information to Microsoft over 5,500 times a day.

• Windows 10 has a native keylogger that transmits PPI.

• Windows 10 search features keep transmitting PPI even if disabled.

• Even when instructed not to transmit data to Microsoft, the o/s does so.

• Extensive telemetry data cannot be prevented from being transmitted to Microsoft.

• When you encrypt the drive with Bitlocker, the decryption key is sent to Microsoft.

• The EFF continues to hound Microsoft to address their behaviors without response; Microsoft continues to disregard user choice and violates their privacy.

• Google felt to publicly disclose a Windows 10 vulnerability before Microsoft, because they refused to take action; they did it to protect their users while Microsoft stalled.

• Microsoft's operating system is constantly susceptible to zero-day flaws and attacks; famously, a Russian-created zero-day attack mounted by Russian intelligence services were used to attack the DNC.

If you're concerned about security or privacy, one cannot honestly look at Microsoft's offerings and consider them a serious option. 

R