Management, Info System Security Russell Mickler Management, Info System Security Russell Mickler

Small Businesses At Increasing Risk of Cybercrime

Sure, there's been a lot of chatter about the OPM hack recently. But let's not forget how vulnerable the small business is to cybercrime, either.

This week, the US Office of Personnel Management admitted that over 5.6 million fingerprint records were stolen in a hack perpetrated earlier in the year; that's significantly larger than what they first imagined was 1.1 million compromised records.

If your head is reeling from the enormity of such a breech, and if you somehow figure that only large corporations or government systems are the target of serious hacks, think again. Recent reports show that small/micro businesses aren't doing enough to protect themselves, either.

Phishing attacks, credit card fraud, virus infections, data compromises; malware, espionage, password compromises, shareware exploits. Sage recently released a good infographic claiming that up to 90-percent of data breaches impact small firms, and that 30-percent of businesses under 250 employees are the intended targets of cyberattacks; 1 in 5 small businesses fall victim to cybercrime every year, and 60-percent of those affected businesses go out of business.

Half way through 2015 and cyber risks continue at an alarming rate. The criminals continue to become more sophisticated and have quick ‘go to market’ capabilities ...
— Carolyn Schrader, Cyber Security Group, Inc.

The bottom line is that thinking about information system security isn't just for the enterprise: it's something every mom and pop shop should be doing, too. We can't fool ourselves. Larger corporations may provide a more inciting, data-rich environment, but the reality is that small businesses don't secure their systems in the way corporations would, which makes them easier targets. They don't have the talent or expertise to understand the safeguards they're implementing, let alone verify their suitability and functionality.

And if we somehow believe that free software downloaded from the Internet will solve our problems, we should probably think again. Every small business owner or manager should be finding a trusted cybersecurity partner. Mickler & Associates, Inc. - a computer security consultancy in Vancouver, WA - is uniquely positioned to help small businesses improve their security posture and audit their safeguards. Learn more about how we could help you today.

R

Read More
Strategy, Info System Security Russell Mickler Strategy, Info System Security Russell Mickler

There's No Such Thing as Privacy

What is Privacy?

This image of a button makes it look so easy,  doesn't it?

Well, first off, privacy doesn't exist. Privacy is a subjective feeling in that there's no specific measurement anyone can use to suggest absolute privacy; what is private to one party may be inherently public to another.  

All the word means that it's a state or condition that we believe is free from observation or eavesdropping. In terms of technology strategy, privacy reflects the confidence we have in systems to protect confidential information about individuals.

Let's break a few of those components down for a minute.

  • Confidence. Yet another subjective feeling, confidence reflects how assured we feel that our safeguards are thorough, comprehensive, and resilient to attack. Example: we have confidence in a deadbolt on our front door to protect us from an intruder; we have confidence that a locked file cabinet will prevent unauthorized inspection of classified data. Confidence reflects only our intellectual and emotional trust in our safeguards.
     
  • Systems. These are the policies, processes, training, controls, and automation that we've put in place to guarantee outcomes, to provide us with greater assurance that privacy can be maintained. Systems help ensure confidence.
     
  • Individuals. In technology, we collect information all the time. That information is usually aggregated and reflects many anonymous data points that help paint a picture over a problem. This kind of data and its collection yields competitive advantage: we want this data, need it, collect it, and utilize it, to maximize profitability for shareholders. That's different than the information of individuals which is specific and representative of personal details that uniquely identifiable. It's about understanding what uniquely identifiable information we maintain and what we're responsible for.

 

So, in terms of information sciences, we look at privacy as an artificial and subjective construct. It's not an absolute thing - flip a switch, a button to press, and, hey: your stuff is private! Rather it's a feeling that we have that the systems we've put in place give us the confidence that information about individuals remains confidential.

The degree to which that feeling can extend is relative.

  • If you want a feeling of maximum assurance and the highest confidence, we must come to thoroughly understand the information of individuals we maintain, and, to implement very rigorous systems to control it.
     
  • If you want reasonable assurance and reasonable levels of confidence, we implement the bare minimum of systems to protect and control the information in our care. 
     
  • If you're unsure of what information you're responsible for, and, aren't aware of the systems put in place to protect it, then your confidence is misplaced - you're blindly believing everything is okay. You've taken no action to understand what you're responsible for, then you can't have any reasonable expectation of privacy.

 

Further, privacy isn't a defined thing in the United States. It isn't even a right. There isn't a consensus in this country of what degree of systems are sufficient, what specific information about individuals should be confidential*; there's nothing written into the Constitution or Bill of Rights that guarantees citizens a right to privacy (in fact, just the opposite, with the 1st Amendment); aside from a smattering of Federal and State laws, case law has attempted to define what privacy actually means. In this country, there is a limited legal framework that defines what is private and what your obligations are (as a business owner) to maintain it.

So privacy isn't a right; what information about individuals should be private hasn't been universally defined; safeguards to elevate confidence haven't been universally defined; privacy is just a subjective feeling. 

Beyond that, there is not an absolute economic imperative behind privacy.  It won't improve shareholder equity; it won't return on investment. You're simply investing in safeguards. And for individuals, implementing inconvenient systems to safeguard their privacy may be perceived as too tedious or time consuming. Why should any business or individual what to do something that costs money, delays action, or causes irritation, when the payoff seems so limited?

So surely, privacy doesn't exist. It's a feeling that resides only in our minds.

Yet, ephemeral as privacy may be, the recent data breach from the Federal OMB affecting 7-percent of all Americans should remind everyone that the threats are real and the impacts are material. Indeed, a return on privacy does exist in the form of damages, losses, trust, and reputations. 

The question is: in witnessing this massive failure of privacy within the Federal Government, will you - today - overcome your base assumptions about your company's safeguards, verify their integrity, and implement stronger safeguards, as to validate the confidence that you have in systems that keep the personal private information of individuals confidential? Will you change your habits as an individual? Or, will you keep doing what you've always been doing, presuming your systems and habits should never have to change?

R

* With exception to some classified forms of information determined by Federal and State Governments. Example: Data subject to the Federal Privacy Act, FERPA, HIPAA, GLB, Matter Subject to State Data Breach Laws, etc. These pieces of information have been defined as classified and there are system requirements to raise our confidence levels.

Read More
Strategy, Info System Security Russell Mickler Strategy, Info System Security Russell Mickler

The 10 Worst Small Business Security Habits

Small businesses are usually pretty bad at managing their information resources. Here's a list of the 10 worst security habits a small business might have concerning the management of its information system.

I recently gave a presentation on this topic to my business networking group, and I wanted to take a few minutes to expand on these issues. I think they're important for everyone - not just small businesses - but, as I consult for a living, these are the kind of problems that I find most prevalent in my line of work. 

I really have no sympathy for business owners or users that fail to attend to these details - ultimately, they are the victims of their own behaviors and inattention to managing the IT problem. After all, it's their job to manage these problems and experts like me can help if they're willing, but, you can't force somebody to do the right thing; they've got to want it for themselves and put in the work. They've got to make it a priority. Still, who I am concerned about are the victims of their inattention (their employees, their customers) whose personal private information is made more vulnerable because of their lack of leadership in these areas.

1. Poor Authentication. 

  • The organization doesn't place an emphasis on using complex passwords on websites, computers, tablets, phones, or other devices;
  • Users in the organization are allowed to generate their own non-complex password, where the user could use a password from their own personal experience, exposing the company;
  • Passwords are used on many services and devices, and aren't unique;
  • The organization doesn't enable features like 2-factor authentication that could help better secure their digital assets;
  • Simply, the organization or individual doesn't take authentication seriously even though most of their digital assets are on mobile devices or available in the Cloud and not protected behind their own firewall. It's an inexcusable lack of attention to a basic problem; they make their authentication mechanism as convenient as possible rather than as secure as possible, and that's why they get hacked. 

2. No Audits, Testing, Quarterly Maintenance.

  • The organization never audits its assets and controls; it wrongly believes that threats never change and that what it did yesterday protects them from tomorrow;
  • Confidence in our safeguards and controls is a process; it's not a set-it-once and walk away issue - we must constantly be looking at our vulnerability and implementing corrective action;
  • If we never audit, test, or maintain our systems, we assume nothing is wrong; it's precisely that assumption and laziness that can be exploited by hackers.

3. No Encryption.

  • Today, with encryption technology so pervasive and available on nearly every microcomputer, application, and (soon) phone, there's no excuse whatsoever not to encrypt everything.

4. Reliance on Role-Based User Accounts.

  • For their convenience, organizations will create accounts in their information system that reflect roles rather than people (example: accounting, invoices, payables, contracts, etc);
  • These accounts exist because the users feel it's easier to always have these functions login rather than people, and when people leave the organization, the matter created under the role remains;
  • One problem with this approach is that the account's credentials never change - as lending to the convenience aspect - thus exposing the company after an employee leaves the firm, but the most significant problem lies in the realm of audits; how can you audit anything in an information system when all it reports is "accounting did this", or, "accounting did that" - we don't know the who behind it, and anyone who knows that account's password is suspect?
  • Role-based account setups is a cheat: it harms the company because there's no system that allows us to prove who did what, when, and how, and it creates a lazy habit for managing user attrition; every user should be uniquely identified at all times.

5. Using Physical Mail.

  • Companies who rely on physical mail to be delivered to an unsecure mailbox invite trouble and fraud - from internal aggressors like employees, or, from external aggressors;
  • Just like consumers, small businesses can be the victim of identity theft, and organizations should do everything in their power to automate payment systems as to reduce all physical mail to what it truly is (junk).

6. No Testing or Verification of Backups.

  • The company presumes their backup processes are working, or, presumes that they have adequate coverage for their recovery objectives (alas, many companies don't even understand what kind of recovery time-frame or data they would need to perform a recovery in the event of a disaster);
  • Instead of making these assumptions, the astute manager would define what kinds of data and system would need to be operable under the auspices of a Disaster Recovery Plan (DRP); defining needs and verifying that systems are in place to meet those needs is just part of good management.

7. No Understanding of Legal Obligations.

  • I'm often shocked at what little understanding business owners have concerning classified forms of information, and their obligations in managing it;
  • There are state and federal laws governing these issues - and the obligation for reporting breach - yet often the small business owner is entirely oblivious;
  • Not only does that threaten the business in the context of negligence and liability, but it's a failure of a social obligation that the business has to safeguard data, which is why there have been laws created to protect it;
  • Ignoring the law or shrugging off their legal obligation because they don't understand something is useless ("ignorance of the law is not a legal defense"), and sentiments like "government intrusion" attempts to dismiss their responsibility; again, I go back to the real victims: the people who do business with them, and, their employees. 

8. No Filtering.

  • Filtration is a defensive tactic to prevent all things from being delivered or seen by users;
  • Basic filtering of email traffic can help reduce spam, phishing, and virus attacks, yet many small businesses are still using standard POP3 or IMAP mail clients without server-side filtering on mail delivery;
  • Meanwhile, web traffic can be easily filtered with free services like OpenDNS, workstation security software, or, commercial services offered by vendors like Sonicwall;
  • No filtering just lets everything in to trusted spaces - rather, proactively, we should select for what we want our organization to see. That's just good management.

9. Leave Laptop/Phone/Tablet Unattended.

  • Aside from not securing these devices with encryption or pass-phrases, users will leave these objects in their car, or, sitting on a table in a restaurant, or with a co-worker, or they leave it sitting at an airport;
  • This inattention stems from the problem of perceived value - some of the biggest, most scary data breaches come from unencrypted laptops being left at an airport, and there just happened to be 10,000 records of payroll data on it; what was the user thinking? Why put that data on an unencrypted, unsecure device anyway? What would happen if that device or USB stick was lost?
  • And the answer is that they weren't thinking of anything other than their convenience and not the real consequences of their actions. Employees should be trained about the value of information, and the costs associated with its potential loss or destruction.

10. No Policies, Procedures, or Work Instructions (No Plan). 

  • Finally, organizations that don't create Administrative Controls (like policies, procedures, or work instructions) governing these issues plan to fail at managing them; management never gave voice to their intention; management never trained its employees on their intention; management never clarified its intention;
  • The legal concept of Due Care obligates managers to understand and to respond to the risks under which their organization operates; if they never investigate those risks and develop, audit, and maintain controls, or communicate their expectations to staff, that's not management at all. It's negligence.

R

 

Read More