It seems like every few weeks there is a report of another massive data breach at a well known company. Toyota, Dunkin Donuts, and Walmart are just some companies that have reported data breaches of one kind or another this year. However, what does not get reported publicly are the thousands of data breaches that occur at smaller, less well known companies; companies like your agency.
As noted in my last blog post, this was the theme of Cash Miller’s presentation at IIAG’s annual convention last month. That theme was also present in a webinar put on by the IIABA Professional Liability department a couple of weeks later in which some eye-opening statistics were cited. According to the presenter, although 90% of small business owners do not think they are at risk of a data breach, 70% of all cyber attacks are made against small businesses. Seventy percent of those attacks go undetected for an average of almost seven months, and 60% of small businesses that are successfully attacked are out of business within six months.
It’s not hard to understand the why behind the above statistics. Small businesses, in general, don’t have the time, expertise, or money to devote a lot of attention to cyber security. The hackers know that, and many go after this “low hanging fruit.” However, there are some steps small businesses can take to better protect themselves that don’t involve a significant expenditure of time or money and don’t require a lot of expertise.
Data Breach Protections
Given that 85% of ransomware attacks involve the remote desktop protocol, agencies should either stop using that protocol for outside access to their computer systems or use it in conjunction with a Virtual Private Network. Since 94% of all malware that ends up infecting a small business’ computer system is delivered by phishing emails from hackers, an agency needs to train its employees how to spot and deal with such emails. For example, when asked to click on a link in an email, an employee should move their mouse over the e-mail. Doing so will reveal the actual internet address to which the employee will be taken if they click on the link. If the address in the email and the actual address aren’t identical or the actual address is unknown to the employee or has an unusual domain name, the employee should not click on the link without further investigation. (Click here for short video on a typical email phishing attack, which provides seven other tips on how to spot and deal with phishing emails.)
Simple protections that can be taken to protect an agency’s computer system include installing anti-virus and other malware protection on all devices connected to that system and keeping those protections up to date. Updates for most such programs can be downloaded and installed automatically. Implementing two factor authentication for access, from inside or outside the office, to all the devices on the system is also a good idea. The slight inconvenience created for employees in accessing those devices is greatly outweighed by the fact that a hacker will not be able to gain access to them by stealing a password alone. Such an authentication protocol should also be implemented with respect to access to the agency’s e-mail system and be employed with respect to any request to transfer funds or sensitive data. A telephone call to the purported sender of an email or other communication requesting such a transfer is a simple way to verify the request is a legitimate one.
In addition, employees should be given access to only those portions of the computer system or agency database that are necessary for them to perform their duties. By doing so, a hacker will only be able to access those portions of that system or database that the employee whose identification factors have been compromised can access. Employees should never be allowed to share access to the agency’s computer or email systems. Each employee should have their own access credentials, which makes it easier to limit their access and identify how a breach occurred and who was responsible for it.
The same protections should be employed with respect to any sensitive information or processes stored in the cloud. Such information and processes should be treated as if they were on servers in the agency’s office. Access to them should require two factor authentication, and only those employees with a need for such access should be given access and then only to those portions necessary for the employee to perform their duties. (Click here for an article that contains other suggestions for cloud security.)