The Internet allows businesses to instantly access information, easily communicate externally and internally, and allows employees to work more efficiently by using computer and web-based tools and capabilities. If your business utilizes cloud computing, emails, or website services, it's imperative that cybersecurity is addressed.
Digital information is a high-value target for hackers of all skill-sets. Even some terrorist groups are beginning to turn their focus towards cyber crime. Every business that uses the Internet in some aspect has the responsibility to develop and maintainin cybersecurity best practices.
Email has become a critical part of everyday operations, from internal management to direct customer support. The benefits associated with email as a primary business tool far outweigh the negatives. However, organizations must be mindful that a successful email platform starts with basic principles of email security to ensure the privacy and protection of customer and operational information.
1. Setup a Spam Email Filter
It has been well documented that spam, phishing attempts, and otherwise unsolicited and unwelcome email often accounts for more than 60% of all email that an individual or organization receives. Email is the primary method for spreading viruses and malware and it is one of the easiest to defend against. Consider using email-filtering services that your email service provider offers. An email filter application is an important component of a solid antivirus strategy.
2. Train Employees on Responsible Email Usage
The last line of defense for all of your cyber risk efforts lies with the employees. Technology alone cannot make an organization secure. Employees must be trained to identify risks associated with email use, how and when to use email appropriate to their work, and when to seek the assistance of professionals. Employee awareness training is available in many forms, including printed media, videos and online training. Consider requiring security awareness training for all new employees and refresher courses every year.
3. Protect Sensitive Information Sent Via Email
Emails often include sensitive work-related information. Whether it is information that could harm your business or regulated data, such as personal health information or personally identifiable information, it is important to ensure the information is only sent and accessed by those who are entitled to see it. Organizations that handle this type of information should consider whether such information should be sent via email, or at least consider using email encryption. Encryption is the process of converting data into an unreadable format to prevent disclosure to unauthorized personnel. Only individuals or organizations with access to the encryption key can read the information. Other cloud services offer “Secure Web-Enabled Drop Boxes” that enable secure data transfer for sensitive information, which is often a better approach to transmitting between companies or customers.
4. Develop an Email Usage Policy
Policies are important for setting expectations with employees or users and for developing standards to ensure adherence to your published polices. Your policies should be easy to read, understand, define and enforce. Key areas to address include what the email system should and should not be used for and what data is allowed to be transmitted. Other policy areas should address retention, privacy and acceptable use. Depending on operational needs, you may have a need for email monitoring. The rights of the organization and the user should be documented in the policy as well. The policy should be part of your general end user awareness training and reviewed for updates on a yearly basis.
Businesses can experience a compromise through the introduction of malicious software, or malware. Malware can make its way onto machines from the Internet, downloads, attachments, email, social media, and other platforms. One specific malware to be aware of is key logging, which is malware that tracks a user’s keyboard strokes. Many businesses are falling victim to key-logging malware being installed on computer systems in their environment. Once installed, the malware can record keystrokes made on a computer, allowing intruders to see passwords, credit card numbers and other confidential data. Keeping security software up to date and patching your computers regularly will make it more difficult for this type of malware to infiltrate your network.
Malware is the greatest external threat to most hosts, causing damage and requiring extensive recovery efforts within most organizations. The following are the classic categories of malware:
Virus - A virus self-replicates by inserting copies of itself into host programs or data files. Viruses are often triggered through user interaction, such as opening a file or running a program. Viruses can be divided into the following two subcategories:
Worms - A worm is a self-replicating, self-contained program that usually executes itself without user intervention. Worms are divided into two categories:
Trojan Horses - A Trojan horse is a self-contained, non-replicating program that, while appearing to be benign, actually has a hidden malicious purpose. Trojan horses either replace existing files with malicious versions or add new malicious files to hosts. They often deliver other attacker tools to hosts.
Blended Attacks - A blended attack uses multiple infection or transmission methods. For example, a blended attack could combine the propagation methods of viruses and worms.
Securing your business’ network consists of identifying all devices and connections on the network. This can be accomplished by setting boundaries between your organization’s systems and others by enforcing controls to ensure that unauthorized access, misuse, or denial-of-service events can be thwarted or rapidly contained and recovered from if they do occur.
1. Antivirus Software
Antivirus software is the most commonly used technical control for malware threat mitigation. There are many brands of antivirus software, with most providing similar protection through the following recommended capabilities:
2. Secure Internal Network and Cloud Services
Your organization’s network should be separated from the public Internet by strong user authentication mechanisms and policy enforcement systems, such as firewalls and web-filtering proxies. Additional monitoring and security solutions, such as antivirus software and intrusion detection systems, should also be employed to identify and stop malicious code or unauthorized access attempts.
After identifying the boundary points on your organization’s network, each boundary should be evaluated to determine what types of security controls are necessary and how they can be best deployed. Border routers should be configured to only route traffic to and from your organization’s public IP addresses, firewalls should be deployed to restrict traffic only to and from the minimum set of necessary services, and intrusion prevention systems should be configured to monitor for suspicious activity crossing your network perimeter. In order to prevent bottlenecks, all security systems deployed onto a network’s perimeter should be capable of handling the bandwidth your carrier provides.
Carefully consult your terms of service with all cloud service providers to ensure your organization’s information and activities are protected with the same degree of security that you would intend to provide on your own. Request security and auditing from your cloud service providers as applicable to your organization’s needs and concerns. Review and understand service level agreements for system restoration and reconstitution time. You should also inquire about additional services a cloud service can provide. These services may include back up and restore services and encryption services.
3. Develop Strong Password Policies
Password policies should encourage employees to use the strongest passwords possible without creating the need or temptation to reuse passwords or write them down. Use passwords that are random, complex and long (at least 10 characters), are changed regularly and are closely guarded by those who know them. Passwords should also contain both numbers and letters.
4. Secure and Encrypt Wi-Fi
Organizations may choose to operate a Wireless Local Area Network (WLAN) for the use of customers, guests and visitors. It is important that such a WLAN be kept separate from the main company network so traffic from the public network cannot traverse the organization’s internal systems. Internal, non-public WLAN access should be restricted to specific devices and specific users to the greatest extent possible while meeting your organization’s needs. All users should be given unique credentials with preset expiration dates to use when accessing the internal WLAN.
New telecommunication technologies may offer countless opportunities for organizations, but they also offer cyber criminals many new ways to victimize your organization, scam customers, and hurt your reputation. Organizations of all sizes should be aware of the most common scams perpetrated online. To protect your organization against online scams, be cautious when visiting web links or opening attachments from unknown senders. Make sure to keep all software updated and monitor credit cards for unauthorized activity.
1. Train Employees to Recognize Social Engineering
Social engineering, also known as "pretexting," is used by many cyber criminals to trick unsuspecting people into giving away their personal information and/or installing malicious software onto their computers, devices or networks. Social engineering is successful because criminals are doing their best to make their work look and sound legitimate, which makes it easier to deceive users. Information gathered from social networks or posted on websites can be enough to create a convincing ruse to trick your employees. For example, social media profiles can allow a criminal to assemble information on employees. Teaching people the risks involved in sharing personal or business details on the Internet can help you partner with your staff to prevent both personal and organizational losses.
Many cyber criminals use social engineering tactics to get individuals to voluntarily install malicious computer software, such as fake antivirus software. Fake antivirus software is designed to steal information by mimicking legitimate security software. Users who are tricked into loading malicious programs on their computers may be providing remote control capabilities to an attacker, unwittingly installing software that can steal financial information or simply try to sell them fake security software. The malware can also make system modifications which makes it difficult to terminate the program. The presence of pop-ups displaying unusual security warnings and asking for credit card or personal information is the most obvious method of identifying a fake antivirus infection.
2. Protect Against Online Fraud
Online fraud takes on many guises that can impact everyone, including small organizations and their employees. It is helpful to maintain consistent and predictable online messaging when communicating with your customers to prevent others from impersonating your organization. Never request personal information or account details through email, social networking or other online messages. Let your customers know you will never request this kind of information through such channels and instruct them to contact you directly should they have any concerns.
3. Protect Against Phishing
Phishing is the technique used to trick people into thinking they are dealing with a trusted website or other entity. Phishers may impersonate an organziation in order to take advantage of unsuspecting customers or to steal employees’ online credentials. Attackers often take advantage of emergenices or disaster and current events, such as:
Employee awareness is your best defense against users being tricked into handing over their usernames and passwords to cyber criminals. Employees should never respond to incoming messages requesting private information. If a stranger claims to be from a legitimate organization, verify his or her identity with his or her stated company before sharing any personal or classified information.
Employees should never click on a link sent by email from an untrustworthy source. Employees needing to access a website link sent from a questionable source should open an Internet browser window and manually type in the site’s web address to make sure the emailed link is not maliciously redirecting to a dangerous site. This advice is especially critical for protecting online banking accounts belonging to your organization. Criminals are targeting banking more than any other sector. If you believe you have revealed sensitive information about your organization, make sure to:
Website security is more important than ever. Web servers, which host the data and other content made available to your customers on the Internet, are often the most targeted and attacked components of a network. Cyber intruders are constantly looking for improperly secured websites to attack, while many customers say website security is a top consideration when they choose to shop online. As a result, it is essential to secure servers and the network infrastructure that supports them. Consequences of a security breach are significant, such as situations of loss of revenues, damage to credibility, legal liability and loss of customer trust. The following are examples of specific security threats to web servers:
1. Implement Appropriate Security Management Practices and Controls when Maintaining and Operating a Secure Web Server
Hardware attacks are harder to prevent than software attacks. Appropriate management practices are essential to operating and maintaining a secure web server. Security practices include the identification of your information system assets and the implementation of policies and guidelines to help ensure the confidentiality, integrity and availability of information system resources. The following practices and controls are recommended:
2. Ensure Web Server Operating Systems Meet Organizational Security Requirements
The first step in securing a web server is securing the underlying operating system. Most commonly available web servers operate on a general-purpose operating system. Many security issues can be avoided if the operating systems underlying web servers are configured appropriately. Default hardware and software configurations are typically set by manufacturers to emphasize features, functions and ease of use at the expense of security. Because manufacturers are not aware of each organization’s security needs, each web server administrator must configure new servers to reflect their organization’s security requirements and reconfigure them as those requirements change. Using security configuration guides or checklists can assist administrators in securing systems consistently and efficiently. Initially securing an operating system initially generally includes the following steps:
3. Ensure the Web Server Application Meets Organizational Security Requirements
The secure installation and configuration of the web server application will mirror the operating system process discussed above. The overarching principle is to install the minimal amount of web server services required and eliminate any known vulnerabilities through patches or upgrades. If the installation program installs any unnecessary applications, services or scripts, they should be removed immediately after the installation process concludes. Securing the web server application generally includes the following steps:
4. Ensure Only Appropriate Content is Published on Your Website
Websites are often one of the first places cyber criminals search for valuable information. Still, many organizations lack a web publishing process or policy that determines what type of information to publish openly, what information to publish with restricted access and what information should not be published to any publicly accessible repository. Some generally accepted examples of what should not be published or at least should be carefully examined and reviewed before being published on a public website includes:
5. Take Appropriate Steps to Protect Web Content from Unauthorized Access or Modification
Although information available on public websites is intended to be public, it is still important to ensure that information cannot be modified without authorization. Users of such information rely on its integrity even if the information is not confidential. Content on publicly accessible web servers is inherently more vulnerable than information that is inaccessible from the Internet, and this vulnerability means businesses need to protect public web content through the appropriate configuration of web server resource controls. Examples of resource control practices include:
6. Employ Network Infrastructure to Help Protect Public Web Servers
The network infrastructure (firewalls, routers, intrusion detection systems) that supports the web server plays a critical security role. In most configurations, the network infrastructure will be the first line of defense between a public web server and the Internet. Network design alone, though, cannot protect a web server. The frequency, sophistication and variety of web server attacks perpetrated today support the idea that web server security must be implemented through layered and diverse protection mechanisms, an approach sometimes referred to as “defense-in depth.”
7. Commit to an Ongoing Process of Maintaining Web Server Security
Maintaining a secure web server requires constant effort, resources and vigilance. Securely administering a web server on a daily basis is essential. Maintaining the security of a web server will usually involve the following steps: