Security Breaches: What SMBs can do to prevent and respond?
Today it seems that not a month passes without another major cyber-security breach. On September 7, 2017, Equifax announced that it became the victim of an attack that potentially affected up to 145 million consumers in the United States, up to 44 million consumers in the United Kingdom and 8,000 people in Canada. During the breach, hackers gained access to full names, social security numbers, birth dates, addresses, driver license numbers and over 200,000 credit card numbers.
Many media outlets called the breach the largest in history. As it turned out later, Equifax was the victim of not one, but two attacks. According to Bloomberg, the company started reaching out to its partners to notify them about the first attack as early as March of 2017. The entry point for the second breach was a specific vulnerability for which the developer had released a patch on March 7, 2017, but Equifax failed to apply the update, which is the reason hackers could start an attack two months later. Equifax believes that hackers had access to its data for over two months, from May 13 to July 30, 2017. Security experts claim this vulnerability was not the only issue on the part of Equifax. The flaws included insecure networks, insufficient encryption of customer data and ineffective mechanisms of attack detection.
For small and medium businesses, the fact that a company of the size of Equifax can be so vulnerable means that you simply can’t trust that that parties you do business with handle their cyber-security properly. One of the issues is that even if one of your business partners or prospective business partners had significant issues with cybersecurity in the past, there might be no way to find out about it.
The United States doesn’t have federal laws requiring companies to disclose information about cybersecurity breaches. While some states implemented breach notification laws, others didn’t. This means that legally, for residents and businesses in the United States, the issue is a lottery.
Worldwide, things are not much better. In 2016, Belgian researchers Mathy Vanhoef and Frank Piessens were able to breach the Wi-Fi Protected Access II (WPA2) protocol. The protocol is not specific to any device or manufacturer, software or hardware. It affects all devices and all modern protected Wi-Fi networks worldwide. Depending on the network, hackers may be able to insert their own data or manipulate the data on the network. For example, they could infect websites with ransomware and malware.
Vanhoef and Piessens called their attack KRACK (short for Key Reinstallation Attack). The attack can only occur when a hacker is in a WiFi network range of a victim. The attack cannot be carried over the Internet. Because the vulnerability is in the protocol itself, it affects even the devices and networks with secure protocol implementation policies. Belgian researchers explained in their report that the techniques they used could allow hackers access to information that everybody believed was safe and encrypted such as credit card numbers, pictures, email and chat communications and other sensitive data.
What is the lesson here? Unfortunately, you have to assume that all external networks are hostile. When you do, issues like the KRACK attacks will not become corporate concerns because they are related to external wireless networks, which can be managed or avoided. Below are some measures on how to avoid them, and other steps small and medium-sized business can take to increase their protection.
What Can A Small or Medium-Sized Business Do To Protect Itself?
First, a business needs to have proper cybersecurity policies. An organization needs to apply its policies consistently and provide instructions to employees about how they should be performing their daily activities. A well-written policy will not only help protect your organization from hackers but is also provides liability protection.
Such policies should revolve around three key network security principles: integrity, confidentiality, and accessibility. Depending on the circumstances, one of these principles may be more important than others. In light of recent breaches, confidentiality and integrity of your information should be more important than availability. Your policy should prohibit asset connectivity outside of corporate networks and perhaps, from using Wi-Fi altogether. If that’s not possible, additional security measures exist for employees who must use Wi-Fi, or who work remotely. These can include using a VPN, encrypted email, cloud storage and increasing employee awareness.
According to Associate Professor Mark Gregory from the School of Engineering at RMIT University, an estimated 30% to 50% of devices are not regularly updated, so they lack patches that solve many security issues. These staggering numbers mean that you must always assume devices are not secure and take appropriate measures to protect them as much as possible.
Employees in an organization need to be aware of their responsibilities when it comes to protecting company data, devices, and networks. Employees also need to have proper information on security practices. This should help reduce unauthorized access to an organization’s networks and prevent fraud. The key to all these issues is employee education, which can take a form of seminars, videos, reminders, recognition incentives, and newsletters.
No matter how well you design and secure your technological infrastructure, you will also need to monitor how your employees are using it continually. Frequently, what employees will or will not do depends on the culture of the organization and the education employees receive from the business about technology.
You will first need to design a system that minimizes what your employees can do across the network. This means only giving them access to features they need to do their jobs. For example, viruses and spyware are a big issue for many organizations. You can solve this problem by not allowing employees install any new software. The only way you can keep your information systems secure is if you know what is running on them and who has what level of access.
You can exercise control and enforce the rules in two ways. These are preventive and detective. In turn, each of the strategies has administrative, technical and physical components.
- Preventive enforcement through administration includes creating policies and procedures as discussed above. Once the policies and procedures are in place, employee duties and responsibilities should be covered by employment agreements. Finally, you need to label all sensitive materials and schedule vacations in a way that prevents employees from being able to breach one of your systems.
- Preventive enforcement through technology includes the use of biometric authentication and passwords, encryption of data, constrained user interfaces and limited keypads.
- Preventive physical measures restrict physical access to systems with important information by using security guards, two physically separated doors, fences, and badges.
- Detective administrative enforcement is about sharing of responsibilities, reviews of audit records and awareness of employee behavior. Detective technical controls include intrusion detection systems and violation reports. Physical detective means include video cameras, motion, and thermal sensors.
Ideally, the preventive measures would be enough to prevent future attacks. Unfortunately, since your software and technology constantly change, and your employees will connect to the Internet, your defenses won’t be able to prevent every potential attack. Because of this, you need to have the detective measure in place as well.
Both events described in this article, the Equifax breach, and the KRACK attack, were entirely preventable. Their magnitude is indicative of industry-wide issues, which redefine the scope of external trust. Unfortunately, in this environment implication of distrust is necessary even when you deal with large organizations. SMBs do have the capability to put measures in place to help protect their businesses from attacks, and 3rd party IT security experts can help safeguard your assets and lay out cybersecurity plans and strategies.
You can read more about these Cybersecurity Services at CGS here.