Protecting Your Information Online

| 0

As our lives become increasingly entangled in the digital world, we face many challenges and risks when protecting our personal information. Data breaches, identity theft, phishing, malware, and cyberattacks are common threats that can compromise the privacy and security of consumers’ data. We all need to be aware of the best practices and tools that can help us safeguard our information online.

Below are several of the best practices that you can follow to protect your information online:

Use strong and unique passwords for different accounts and devices. A strong password should be at least twelve characters long, include a mix of letters, numbers, and symbols, and avoid common words or phrases. A password should not be reused with multiple accounts or devices, as this can increase the risk of hacking all the accounts using the same password.

Use two-factor authentication (2FA) whenever possible. 2FA is a security feature that requires an additional verification step, such as a code sent to a phone, app, or email, a set of security questions only you know the answer to, or a biometric scan to access an account or device. 2FA can prevent unauthorized access even if the password is compromised or stolen.

Be careful about what you share online and who you share it with. Avoid posting or sending sensitive information, such as personal details, financial information, or photos, on social media platforms, messaging apps, or email. You should also check the privacy settings and permissions of the apps and websites they use and limit the amount of data they collect or share with third parties. Set apps to share information only with friends, turn off tracking, and limit apps’ access to location data where possible.

Consider using a VPN (Virtual Private Network). VPN on your tablet, computer, or phone encrypts your internet connection and hides your location from hackers. The VPN connection makes it almost impossible for third parties to track your online activity. Using a VPN application is highly recommended to protect your privacy on public Wi-Fi networks.

Keep your applications, web browsers, and devices updated. You should set applications on your tablet, phone, or computer to update automatically.  I would also recommend checking for updates manually on a regular basis (at least monthly). This includes the operating system of the device, along with web browsers and other apps that connect online. Updates not only fix productivity issues. They provide necessary security updates. Missing updates will leave you vulnerable to threats.

Reject cookies and other trackers when possible. Websites now ask or allow you to set what cookies and information you will allow them to track. Take advantage of this opportunity to reduce the information you share with sites. You can also set your web browser to block cookies and trackers on various websites. Web browsers can also be set to send a “Do Not Track” request to the site to block some of the cookies and other trackers. Not all sites process this request, but it is worthwhile to activate this setting. To learn how to change the tracking management settings in your browser, type in “tracking prevention and the name of the web browser you use (Chrome, Firefox, Edge, Safari, or other browser).”

Install antivirus software. Antivirus software (AV) can detect, quarantine, and\or delete threats that may exploit systems or devices. AV can also warn about malicious websites and provide other services that can help protect your information online such as VPN, scanning for your information on sites that sell information on the dark web, and other features.

Avoid clicking on suspicious links or attachments in emails or messages. Be wary of phishing emails or messages that trick you into revealing personal information or downloading malicious software. Phishing emails or messages may appear from legitimate sources, such as banks, government agencies, or online services. Still, they often have spelling errors, grammatical mistakes, or urgent requests. Always verify the sender’s identity and the authenticity of the link or attachment before clicking on it by contacting the sender through an alternate means. Do not reply directly to the sent message. Look for senders’ information in your contact list or company website.

Consider purchasing identity theft insurance. In today’s environment, it is not a question of if your data will be involved in a data breach but when it will happen. You can purchase identity theft insurance through the same companies that sell your car or homeowners insurance. You can also purchase it through other companies like LifeLock or other Antivirus providers. While it does not protect you from the breach, it will help you recover your identity should your information be used to steal your identity or create loans or large purchases in your name.

Get your yearly free credit report and consider subscribing to one of the three credit monitoring services. You can get your credit reports from one of the three credit monitoring services, Experian, Equifax, and TransUnion, every year for free by going to Annual Credit Report.com and filling out a request.  You may want to consider subscribing to one of these services, which allows you to receive alerts when changes happen to your credit report, lock your credit report, and set fraud alerts to prevent others from opening lines of credit with your information.

Part three Cybersecurity for Small (Micro) Business and Nonprofit Organizations: Striking a Balance

posted in: | 0

A Short Guide for Owners and Leaders

Part 1 of this blog described the risks posed to micro businesses and similar-sized nonprofits from a cyberattack, Part 2 outlined a three-prong plan to develop a cybersecurity plan for your organization – starting with identifying the organization’s mission-critical assets and protected third-party data, and assessing your organization’s risk level. This part concludes, by describing the core elements of  an effective cybersecurity plan.

Step Three – Implement a Cybersecurity Plan

The final step of a cybersecurity strategy for your organization is to implement a cybersecurity plan. The specifics of the plan will vary, depending on the outcome of the first two steps discussed in Part 2. However, all organizations will find that their cybersecurity plan must be applied consistently over the long term to afford them maximum protection, and every plan should focus both on mitigating the consequences of a successful cyberattack in addition to preventing one. Finally, the most effective cybersecurity plans recognize that aggressive use of available software technology must be balanced and supplemented with ongoing training.

Password Protection & Data Management

Multifactor Authentication

One of the most obvious risks to your organization is unauthorized use of a password to gain access to your LAN, website, email or internet connected devices. As discussed Part 1, most cybercriminals need access to your network to steal or corrupt your organization’s data or software applications. While this may be is changing, network access is often achieved by providing the correct password, and of course, if the password is stolen, compromised, easily guessed, or left in an unsecure location, your organization is vulnerable.

You can address some of these risks by changing passwords regularly, using complex generated passwords, not using the same password for multiple websites, using a password vault or other policies designed to make it harder for a password to be compromised. However, a more effective solution is to require multifactor authentication for all devices that access your organization’s website or local area network (LAN).

Multifactor authentication requires both a password and a correct response to a challenge sent to another internet-connected device – usually a smart phone — that previously has been registered with the person who is seeking access. Taken together, this should mean that even if the password is hacked, as long as the cybercrook doesn’t have access to the secondary device receiving the challenge, the organization’s LAN or website cannot be accessed even if the cybercrook has discovered the password. Multifactor authentication is available for major email and network services, and it has already become a standard feature for most business and government network security.  Of course, these security efforts are more easily defeated if you or others use easily guessed passwords (e.g., “password”, “password 123”, “12345” etc.) or if they fail to keep their secondary authentication device (smart phone or laptop) secure.  

                Multiple levels of security within the organization and data encryption

A second method to strengthen cybersecurity is to require additional levels of password protection within the organization’s LAN for sensitive PII or mission-critical data. This is likely to become more important as the organization expands and adds employees, volunteers or contractors. Examples of data that might require an additional level of security include employee social security numbers, customer bank or financial account information, and health records. Requiring a second level of password protection to this information is the “digital equivalent” of locking a filing cabinet or desk drawer to discourage intentional or inadvertent access to information that should be limited to a specific group within your organization.

An additional approach that should be taken, particularly if your organization has protected PII financial information is to encrypt sensitive data that is maintained on the organization’s local devices or in the Cloud. Common email services and many operating systems and Cloud based storage products offer the option of encrypting files, folders or even an entire hard drive or network.  Of course, data encryption will protect against unauthorized use or disclosure of the encrypted data only if you have properly protected the password or “encryption key” that is used to de-crypt the data.

                Screen locks and time outs

Laptops, desktops and smart phones and other devices all contain options to “lock” access to the device if it is left unattended for a few minutes. Particularly for mobile devices or for any device used by individuals working in an open office environment, enabling this feature is a simple and highly effective way to guard against unauthorize access to the device.

Minimize and reduce access points to sensitive data.

This might seem obvious, but all things being equal, the more places you store sensitive personal data the greater the likelihood that data will be accessed and compromised in a cyberattack. Having at least one off-site backup of the organization’s critical data and software should be part of an effective overall cybersecurity plan. Yet because of the popularity of automatic Cloud backups of email and computer drives such as Google Drive, Apple’s iCloud drive, Microsoft One Drive, and many others it is not at all uncommon to find that at least some of the organization’s data has been stored in multiple locations and at some point multiple storage sites can greatly complicate the organization’s cybersecurity plan and add unnecessary burdens of maintaining all of the  locations where sensitive PII is stored. As part of your development of a cybersecurity plan, you should consider whether the added benefit of storage of the data — particularly sensitive PII, in multiple locations is worth the risk. While Cloud-based storage is relatively secure, most can be compromised and accessed with a password – or best case – a password and some form of multifactor authentication.

A related point that should be considered is whether your organization is only keeping the sensitive PII that it actually needs. Storing multiple backups that are not regularly monitored, particularly on multiple local devices such as desktop and laptop hard drives can greatly complicate efforts to properly handle sensitive data. For this reason, when you are assessing the need for multiple backup storage for the sensitive PII your organization keeps, you should also develop strategies and procedures for periodically reviewing that data to determine if it can be deleted when no longer needed. 

Promptly Update Software and Applications

No application or software is “hack proof.” Over time, cybercriminals learn new ways to access and plant malware in even the most carefully constructed software. It literally is a “cat and mouse” game played between the software developers and cybercriminals. In recognition of this reality, reputable software companies work hard to identify vulnerabilities in their software and create updates (security patches) to eliminate them. Of course, these security patches work only if they are promptly downloaded and installed on all digitally connected devices that access your network. Therefore a critical part of all good cybersecurity plans is to download and promptly install security patches as they become available. Most software and applications that run on computers and smart phones contain an option either to automatically update the program or at least to provide you notice that a new update is available for installation. Generally, these options should be enabled.     

Web-traffic Encryption – Virtual Private Networks

Information (data) is transmitted over the internet using wires (such as an ethernet or fiberoptic cable) and wirelessly over the air (through your wireless modem or smartphone hotspot). While most data transmission is secured (meaning that the information is encrypted before it is transmitted over the internet), public networks or websites that do not encrypt data allow cybercrooks to easily intercept and “listen in” on the communication. The federal government’s cybersecurity watchdog – CISA – has downplayed the risk of this type of attack.  However, one study conducted in late 2016 found that 28% of the public Wi-Fi “hotspots” (at airports, coffee shops, etc.) were unsecured.

So, how do you tell if you are communicating over an encrypted network? When you navigate to a website, look at the address bar on your website browser.  If it begins with the initials “https” you can be at least somewhat confident that your data is being encrypted as it is transmitted over the internet. However, if it says “http” – the data is not encrypted – and can be intercepted and easily read by anyone unless you take additional steps. Many website browsers will warn you when you are communicating over an unsecure network. As a matter of good cybersecurity practice, these sites should be avoided, particularly if you have not implemented a second level of encryption that is discussed next.

Only accessing sites with the  “https” designation will greatly reduce the risk of a cyberattack using wireless networks. However, it is not foolproof. Unfortunately, even an “encrypted” Wi-Fi connection can be defeated through a process known as SSL Stripping. This involves tricking your computer into removing the encryption protocol, in effect downgrading your communication from “https” to “http,” without your knowledge.

For this reason, if your organization relies on wireless networks or if you and others often work remotely using public Wi-Fi, you may want to consider using virtual private network (VPN) software. VPN software can run on a single local computer, a LAN, or on a digitally connected device such as a tablet or smartphone. Once installed and activated, most VPN software offers two additional levels of protection for internet access.

First, it masks the originating address of the communication, making it difficult for a cybercriminal to determine what network is being accessed by the user. This is done by causing the transmitted data to go from the computer to the VPN provider’s server before it continues on through the internet to the user’s ISP and the destination website. For many, this feature of VPN is most important because it may offer a higher degree of privacy, making it more difficult for websites or government entities to track web browsing activity. 

However, there is a second advantage to a VPN. VPN communications between you and the VPN provider are encrypted. In other words, even if a cybercrook is able to “strip” the “https” encryption, they will only be able to see data that has been encrypted using the VPN program. No technology is completely secure from cybercriminal hacking or “eavesdropping,” but a VPN connection provided by a reputable provider is very secure, and it’s a relatively inexpensive way to guard against this type of cyberattack.

If you decide a VPN is a worthwhile investment, VPN software is offered by a number of private companies, and it is important to pick one that best meets your needs. You will need to do some investigation and find articles that evaluate VPN providers and offer advice on how to pick a provider best suited for your organization’s needs, but keep in mind that some of these articles focus more on privacy (the first advantage of a VPN) rather than your organization’s objective — defeating a cybercrook’s attempt to intercept and read the data being transmitted. For your organization, the primary concern may be the number of servers the VPN provider has and the speed and capacity of those servers. This is important because once the VPN is activated, all of your communication over the internet must pass through your VPN provider’s server. If the provider does not have sufficient network capacity, the speed and reliability of your internet connection will be significantly reduced.

Addressing “Human” Vulnerabilities

It would be nice if you could protect your organization from cybercrooks just by buying additional software. Unfortunately, relying on software at best is just half the solution. The other half is dealing with the “human” side of cybersecurity. The reason is simple: even the most robust software technology can be defeated or rendered useless by bad actors inside the organization, by failing to properly use the cybersecurity software tools that are available, or simply a failure to recognize a cybersecurity attack. This section focuses on ideas for reducing your organization’s human vulnerabilities to a cyberattack.

Background checks for those who access the network.

Obviously, you want your organization to grow and become more successful, but as that happens it becomes more important to know who has access to your connected devices and data. A good cybersecurity plan should include a set procedure that includes conducting background checks on all prospective employees. This should include criminal record checks, credit checks, as well as verification of employment and education. Even if you are the only “employee” in the organization, the same considerations apply to others such as vendors, customers or volunteers who have access to your organization’s network.  Of course your background check may not be as extensive as what you would use if you were evaluating a person for employment, but depending on the nature of the contact, the role the individual or entity will play, and the level of access to your organization’s data, you will want to know enough about the individual’s background to feel reasonably certain they will not put the organization’s data or its connected devices at risk of a cyberattack.

Implement  cybersecurity policies and procedures.

Even if you are a sole proprietor or the “staff of one” in a local nonprofit, it is important to consider and implement common sense policies and procedures to minimize the risk that your organization  will fall victim to a cyberattack. Items to consider include:

  • Setting a schedule to regularly check all critical software for security patches and immediately installing critical security patches when notified by a software provider.
  • Developing a policy to create robust passwords and to regularly change passwords.
  • Avoid loading any personal software or email on a computer or other device connected to the organization’s network.
  • Avoiding use of the organization’s email address for personal communications.
  • Install screen password locks on all of the organization’s desktops, laptops and tablets.

Admittedly not all of these policies will be popular, and like many things in life, you may decide that the level of risk your organization faces does not justify implementing some of them. That of course is up to you as leader of the organization. However, before making any final decision, consider whether some or all of these steps may be mandated by clients, customers or suppliers with whom you are dealing.

Educate yourself and everyone who has access to the organization’s digital resources.

Hopefully one of the things you have learned from this blog is that the cyberattacks on businesses, organizations and government have continued to evolve to counter efforts to make software and networks less prone to attack. This will certainly continue. For that reason it is important that you commit to remain up to date on evolving cyber security risks. Fortunately there are a number of resources available to assist in that task. Two are listed below:

You also should consider ongoing training and reminders for employees or others who regularly access your network. Here you might want to use resources developed specifically for that purpose:

Develop a Cyberattack Recovery Plan

You may find this part to be discouraging. After all, if you have taken all of the previous steps to protect your organization from a cyberattack, it’s sobering to think that your  still aren’t protected. Of course, that’s not true. By implementing the previous steps you will have made it much more difficult for a cybercrook to access, disable your network, or steal data. However, just as the best physical security and alarm systems don’t provide 100% protection against the risk of theft or loss, even the best cybersecurity strategies can – and are – defeated each day. Just as you take steps to deal with that reality for your physical assets, it’s important to consider how to deal with a successful cybersecurity attack as well. Here are three ideas you should consider.

Offsite Secure Backups

Earlier, in developing your cybersecurity plan you identified the “critical” data and applications that were needed to operate your organization. As part of your Plan, you need to arrange for these critical items to be regularly backed up, and securely stored in a safe location. How often you decide to back up the data will vary, but obviously data that is added after the backup likely will not recoverable, so it may make sense to back up daily or at least weekly.

Nearly all major software providers offer the ability to backup data to remote “Cloud-based” servers. Some providers offer the ability to automatically back-up data on an hourly, daily or weekly basis, together with the option of accessing earlier backup versions. This last feature can be useful if you are concerned that an “infected” file may have been downloaded onto your network or computer prior to your last backup. Of course, there is always a possibility that your automatic backup system may not initiate for some reason, and as part of your  Plan, you will want to periodically check to make sure the backups are occurring  as expected, and that they can be accessed.

Develop a strategy to notify third parties of a cyberattack.     

This step is most relevant for organizations that maintain sensitive PII (described earlier in Part 2), that have an ethical obligation (such as an attorney) to maintain confidentiality of client data, or that have entered into a contract to maintain the confidentiality of third-party data. Organizations in these situations need to consider and include in their plan, a procedure to document and update where third-party data is stored, and a method to easily identify businesses or individuals that need to receive notice of a cyberattack.

Consider cybersecurity insurance.

It’s probably apparent at this point that a successful cyberattack might be an expensive proposition for your organization, not only from lost revenue but from third party claims for collateral damages as well. You likely insure against the risk of loss of your organization’s physical assets, so it may occur to you that insurance against losses from a cyberattack might be a good idea as well.

Many companies offer insurance policies for some losses incurred in a cyberattack, and for some organizations insurance can be part of a comprehensive cybersecurity plan, however cybersecurity insurance may not be appropriate for all organizations, and as part of preparing the plan for your organization, you need to carefully consider the pros and cons before purchasing a cybersecurity insurance policy.

Cybersecurity insurance generally will insure your organization against some losses arising from interruptions to normal operations, the cost of notifying third parties of cybersecurity attacks, and the cost of defending lawsuits from third parties for damages arising from the event. However, these policies typically will not insure against losses arising from damage occurring from criminal activities by your employees or for the loss of physical or intellectual property resulting from a cyberattack. 

You can begin determining whether cybersecurity insurance is right for your organization by talking with your insurance agent. Generally organizations that store significant amounts of third-party personal information and those most at risk from business or operational interruption in the event their network is compromised, will find cybersecurity insurance to be most useful.  However, cybersecurity insurance is NOT a substitute for a good cybersecurity plan. Be aware that if you decide to purchase a policy, you can expect the insurance provider to demand that you institute the policies and procedures outlined in this blog as a condition for providing coverage. In other words, cybersecurity insurance provides an additional level of financial protection, but only after you have implemented a good cybersecurity plan.

Cybersecurity – Is It Worth the Effort?

These three blogs have outlined the risks to your organization of a cyberattack and outlined the steps you should take to implement a cybersecurity plan to defend against an attack. Operating a business or nonprofit on a shoestring budget is extremely challenging and requires leaders to constantly set priorities and trade-offs. Success often depends on not letting “perfect be the enemy of good enough,” and the amount of time and effort organizations need to put into their cybersecurity plan will vary. However, it is not an exaggeration to say that every organization needs to do something. You can confirm that by simply imagining how your organization could operate if your network, records, computers and even your phone all stopped working. Unfortunately even for very small organizations the risk of an attack is significant, and the consequences of being unprepared likely will be  catastrophic. While it is not possible to completely secure your digital assets, the steps outlined, can significantly reduce that risk, and mitigate the damage in the event of a successful attack. For that reason, even for the smallest business or nonprofit, it’s worth the effort to implement an appropriate cybersecurity plan. 

Part Two Cybersecurity for Small (Micro) Business and Nonprofit Organizations: Striking a Balance –

posted in: | 0

A Short Guide for Owners and Leaders

Part One of this Blog explained the risks your organization faces from a cyberattack, describing the most common objectives and the primary ways cybercrooks attack microbusinesses and similarly sized nonprofits. You learned that successful cyberattacks often involve tactics that are designed to deceive, along with sophisticated malicious software, and that potentially any device that connects to the internet, or to your local area network (LAN) could be an entry point for a cyberattack.

While the risks posed to your organization by cybercrooks are real, and no solution will be 100% effective, there are several things you can do to greatly limit the risk posed by cyberattacks. The objective of this blog and the next one is to describe a strategy you can use to secure your organization against a cyberattack, and help you mitigate the damage done even if an attack is successful.

There are many good educational resources available online that provide specific guidance to assist in understanding how to spot a cyberattack and more are being developed all the time. Examples include the resources offered by the  U.S. Small Business Administration, the Federal Communications Commission and the Missouri Cyber Security Office as well as commercial software providers, such as Microsoft .   In addition, resources published by PCI Securities Standards Council, the organization that works to secure the processing of credit and debit card payments, can help you identify ways to reduce this significant area of risk for many microbusinesses and nonprofits.

These tools and resources will be essential in implementing a comprehensive strategy for cybersecurity. However, implementing and using them effectively requires that you develop a comprehensive strategy that is tailored to address your organization’s unique vulnerabilities. The next two parts will describe one process you can follow to develop an effective strategy.  Doing this will help you use the available tools and resources more effectively and make the most of these resources. By taking this approach, you’ll be able to better use the available tools and resources to address your organization’s cyber security needs and risks.

Part 2 –Developing  a Cybersecurity Plan for Your Organization – Beginning the Process

Given the number of cybercrooks out there, and the many strategies used to carry out an attack, the task of securing your organization may seem daunting, and it is easy to become overwhelmed. One way to keep yourself on track, is to break down the plan for securing your organization into three steps: Identify Critical Data; Assess Your Risk Level; and finally, Implement an Ongoing Cybersecurity Strategy.

Part 2 of this Blog addresses how to identify your organization’s critical data and assess your primary risks and vulnerability to a cyberattack. In Part 3, will discuss how to use this information to  implement an effective cybersecurity plan that is tailored to your organization.

Step one – Identify Critical Data

This step may seem unnecessary, but overlooking it could sabotage your efforts to create an effective plan or cause you to spend far more time than is warranted working on issues that really do not constitute a substantial threat to the organization. The reason is simple; in order to mount an effective defense against a cyberattack, you must first know what data and applications need to be secured. For this reason, your first step in developing an effective cybersecurity plan is to evaluate your situation with by asking two questions: First, what data and software are “mission critical” to the organization? and second, what “third-party data” do we store and retain that must be protected? Taking this this step is critical because leaders of microbusinesses and similarly sized nonprofits simply do not have the luxury of unlimited staff and resources. They must focus their cybersecurity efforts on what is most important based on their unique situation.

Identify “Mission Critical” Information and Software Applications

Identifying what is “mission critical” to your organization requires a little bit of imagination, as well as some investigation. A good way to start is to imagine what would happen if you discovered one morning that your entire organization had been subject to a successful ransomware attack. You have just grabbed a cup of coffee, turned on your desktop or laptop, and were faced with this screen: 

This Photo by Unknown Author is licensed under CC BY-NC-ND

You open your smartphone and tablet and find that they have the same message! This means you can’t access your documents, such as Word and Excel Templates, customer lists, records and forms. Access to everything saved to a computer or stored online has been blocked. You really panic when you attempt to access your company email account and discover that it has also been hacked and the password has been changed! 

Now, ask yourself, what information (data) is critical to the operation of your organization over the next day, the next week, and the next month? What “software” (apps, programs and applications) do you use daily to generate forms, invoices and correspondence in your organization. This likely would include things like customer lists, templated, custom business software, and a variety of transaction records. You’ll likely decide that some data and applications truly are “mission critical” (things you simply cannot operate at all without immediate access) while others you could work-around for at least some period of time.

One point to remember though, is that your list likely will be different than that which another organization would prepare. For example, an architect or engineer’s ability to access work it performed for a client five or ten years ago, may be the most important competitive advantage they have to gain repeat business for improvements or modifications to a project. On the other hand, that same data maybe simply taking up space on another business’ computer hard drive.

Identify protected third-party Information.

Once you have identified data and information critical to your organizations operation you then need to determine what data your organization maintains relates to third parties (customers, suppliers, employees and independent contractors). The previous blog described ways cybercrooks use personal information to compromise computer networks and rob innocent third parties. For that reason, you need to identify data you have retained that could be exploited in a cyberattack to injure these third parties.

This third-party data is often referred to as personally identifiable information (PII). The Department of Homeland Security defines PII as any information that permits the identity of an individual to be directly or indirectly inferred. Sensitive PII includes social security numbers, driver’s license numbers, alien registration numbers, financial account and medical records, biometric data, or an individual’s criminal record.

Of course, it is important to identify what sensitive PII your organization has to protect others against losses from a malicious cyberattack. However, It also is important for your organization to do this because most every state has enacted laws mandating disclosure to these third parties if your organization is the victim of a cyberattack that likely resulted in the disclosure of sensitive PII to a cybercrook. Missouri’s statute can be found here.

In addition, there are laws and regulations that impose requirements on specific industries, such as finance and health care, and these will vary, but the risk to your organization is much the same: a failure to safeguard this third party sensitive PII may lead to its disclosure, and in turn to a successful attack directed against the third party. To protect these individuals, your organization will need to notify them of the attack. Depending on the amount of information involved, this could be quite expensive and time-consuming. It almost certainly will damage your organization’s reputation.

While you may be able to quickly identify the type of sensitive PII your organization retains, determining where that information is located and stored can be a challenge. Most organizations have multiple devices (computers, tablets, servers, smartphones and others) that store the data locally. In addition, this information often also is stored remotely on devices maintained by third parties, in what has come to be known as “the Cloud.”  Since data backups to the Cloud can be initiated automatically, you may find that there are multiple copies of sensitive information stored in multiple locations. Depending on your organization’s size – and most importantly whether it likely receives, maintains and stores sensitive PII, you may want to look into using specialized software that is designed to search out various locations to identify where your organization has stored sensitive PII, both on local devices and in the Cloud.

Step Two – Assess Your Risk Level

Once you have identified “mission critical” information and applications and the sensitive PII your organization holds, you can move to the second step of your cybersecurity strategy, assessing how well this information and applications are protected from a cyberattack. Since a cyberattack is most likely to be launched by someone who is accessing the internet, a good way to begin is by examining how your organization interacts with the internet.

Inventory internet-connected devices

One place to start this effort is to catalogue the devices that can access the internet. Of course, this will include desktops, laptops and tablets and smartphones owns and maintains. However, that may only be the first step, and it may not include your most vulnerable access points for a cyberattack.  For example, you or your employees may access the organization’s LAN remotely from a home computer, smart phone or tablet. You may also have granted customers, patrons or suppliers’ special access your network resources. Each of these is a potential “point of access” to a cyberattack. As you develop an appropriate cybersecurity plan in Part 3 of this blog, you will need to take these devices and entry points into account as well as your LAN and the devices that are attached to it.

Addressing customer credit or debit card payment information

Most businesses and nonprofits must be able to seamlessly accept payments and/or donations with a credit or debit card. However, it is very important to understand what responsibilities your organization has assumed through its credit or debit card payment arrangements, and how that risk can vary depending on how the organization has structured its payment receipt system.

In 2004, the major payment card companies created the “Payment Card Industry — Data Security System”` – usually referred to as “PCI DSS.” The PCI DSS establishes industry standards for businesses and organizations that accept, transmit or store payment card information. This is not a federal or state law although as previously discussed, separate federal or state laws or regulations may require disclosure and create liability issues for your organization if  PII is compromised in a cyberattack. Data Security Standards for PCI compliance vary depending on the payment brand (Visa, Mastercard, American Express, etc.) and the number and size of credit or payment card transactions. An organization that is not PCI compliant may lose the right to accept credit or payment card payments and, more importantly, face very substantial fines and penalties.

That said, most PCI compliance obligations are triggered only if the organization handles, transmits or stores credit or debit card information its network. Fortunately, most small organizations can avoid many of the ongoing requirements to remain PCI compliant, and still offer customers or donors the convenience of using credit and debit cards by using a payment card processor company. In a payment transaction these companies act as an “intermediary.” Once the transaction is initiated, the exchange of protected information (PII) is conducted on the processor’s network rather than the organization. The processor takes the payment card information directly from the customer and credits the organization’s account with the appropriate payment. Since the processor’s network handles the mechanics of the payment processing and stores that information as needed, the organization does not handle, transmit or store any protected data relevant to the transaction.

Of course, if your organization collects or stores payment data by some other means, such as requesting it directly from the customer or donor, that short-circuits the protection afforded by using the payment processor. It then must handle  and secure the sensitive PII in accordance with the PCI DSS standards, and it potentially could be subject to significant economic fines and penalties if the sensitive PII it has stored is compromised through a cyberattack. For these reasons, organizations will want to be extremely cautious about collecting and storing any payment card information. 

Cybersecurity and your organization’s website

Your organization almost certainly has some sort of “online presence” whether it is through a commercial website provider or just a page on a social media site. As with other aspects of cyber security, your organization’s risk of a cyberattack will vary, and will depend in large part on the level of access offered to the public through the website. Additionally, in cases of a ransomware attack, the extent to which your organization relies on its website to maintain day-to-day operations will be important in assessing the extent to which the cybersecurity plan for the organization needs to focus on website cybersecurity. As a general rule, if your organization has a website, you’ll want to spend time understanding the cybersecurity risks associated with the site, even if you rely on a third party to prepare and maintain it for your organization.

The risk of a successful cyberattack through your website can depends in part on the software and cybersecurity tools used by the company that hosts that site for your organizations. Websites that regularly update security software are at less risk. However, if your website permits customers or users to upload any files or documents onto the site, you will need to be particularly diligent to ensure that those files are screened for malware, as this feature presents the potential for any cybercrook to launch a malicious attack on the website. Additionally, if your website provider provides options to accept payment cards you’ll need to assess whether it is PCI DSS compliant.

The Final Step

Now that you have learned what a cyberattack is, how it is implemented, determined what data and applications your organization needs to protect, and reviewed your organization’s unique risk profile, you are ready to focus on ways to protect your organization. This is the focus of Part 3 of this Blog.

Part 1 Cybersecurity for Small (Micro Business and Nonprofit Organizations: Striking a Balance

posted in: | 0

A Short Guide for Owners and Leaders

Inflation, supply chain issues, COVID, staff shortages, rising wages – and you want me to spend time thinking about cybersecurity?

Well, yes – you should – at least just a little. That advice applies even if it’s just you “pulling the levers” to keep your small business or nonprofit operating, and it applies even if you have outsourced all of your website, email management, and credit card processing to a third-party provider.

This is the first of a three-part blog specifically targeted to cybersecurity for very small organizations.  Owner-operated businesses with no more than 5-10 employees — sometimes called “microbusinesses” as well as similarly-sized nonprofits. This part (part one) will describe what a cyberattack is, how it is carried out and ways it can cripple or destroy your organization. While almost everyone understands that large businesses and the government are at risk of cyberattacks, in recent years cybercrooks have focused on smaller organizations, in part because these crooks know that you may lack a dedicated IT staff to defend against the attack. Your organization is assumed to be “low hanging fruit” for cybercrooks, but if you understand the risk and take some reasonable steps to address it, you can greatly enhance your organization’s ability to avoid or recover from a cyberattack.

Just because your organization is small does not mean it is less vulnerable to a cyberattack.  Unless you are prepared, an attack can cripple your operations and do irreputable harm to your reputation. Microbusinesses already face challenges that lead 30% of them to fail within the first year of operation and similar failure rates apply to nonprofits as well. As the leader of a small organization with limited resources time spent working to secure your business against a cyberattack and to recover from a successful attack, could be critical to the organization’s survival.  

Creating a strategy to address this risk doesn’t require a substantial amount of time, and once it is in place, effective cybersecurity is much like protecting your organization’s physical assets. You have locks on the doors and windows, perhaps even a security monitoring device or service to discourage criminal activity and alert you in the event of a break-in, and worst case – you’ve insured as best you can against potential losses should those steps fail. Addressing cybersecurity is much the same, except that instead of physical assets (building and equipment) you are working to protect the information contained on your internet-connected devices and the software that keeps those devices operating

With that in mind, keep on reading to learn more about the risks your organization faces, and how to protect it.

Part One: What is at Stake — The Risks of a Cyberattack

The purpose of cybersecurity is to prevent or limit damage to your operations from a cyberattack.

Cyberattacks can cripple your operations and put your organization’s viability at risk. A January 2023 article states that 43% of small businesses surveyed had suffered a cyberattack, and that cyberattacks are expected to cost 6 trillion dollars. This risk is not limited just to your organization. Even if you can quickly recover from a cyberattack others can suffer significant harm. Confidential information relating to third parties that is stored on your network or computers can be stolen and exploited, or your “infected” network and devices can spread harmful programs to customers, donors and suppliers. In addition to badly damaging your organization’s reputation, it may face lawsuits, fines and penalties for failing to properly secure the information on the network and connected devices.

There are many types of cyberattacks, with confusing names and acronyms, and to make matters worse they are consistently changing and evolving as cybercrooks find new ways to achieve their goals. That said, to develop effective strategies to prevent or deal with a cyberattack it is useful to understand what a cyberattack is, what the attacker wants, and some of the common strategies used by cybercrooks that pose a particular risk to small businesses and nonprofits.

What is a cyberattack?   

In these blogs, the term “cyberattack” means an attempt to gain unauthorized access to a digital network and/or to the physical devices that are connected to that network in order to steal information or to disable your operations by locking, corrupting or destroying critical data and applications..

A “digital network” is the mechanism your organization uses to transmit “data” (e.g., email, files, credit and debit card information, video or audio) from one physical location to another. The “internet” is a digital network with more than 5 billion users and by some estimates 50 billion devices that connect to it. However, the switches, routers and modems your organization uses to connect computers and other devices to servers and the Internet is also a digital network. It is usually called a local area network or LAN. Unlike the internet, a LAN connects a limited number of devices with each other, and it most often acts as a gateway that some or all of these devices can use to access the internet. Typically, a cyberattack originate from a device located somewhere on the internet, and it succeeds by gaining access to your LAN or to one of its connected devices.

What physical devices need to be secured against a cyberattack?

An important point to understand here is that any device that is connected to your LAN (or to the internet directly) is at risk in a cyberattack. This of course includes desktop computers, laptops, network servers, switches and routers – but it also includes a smart phone or a tablet, smart appliances, surveillance cameras or sensors that are part of your alarm system or inventory control, perhaps even your wristwatch. All of these devices have the capacity of interacting and connecting to your LAN and the internet, and thus all of them are at risk of a cyberattack.  

What are the common objectives of a cyberattack?

Most cyberattacks are intended to achieve at least one of these goals.

Extortion –

According to a recent Forbes article the most common cyberattack threat facing small business in 2023 is ransomware. As the name implies, in a ransomware attack, the cybercrook attempts to load some type of malicious software onto your device or your LAN to encrypt the data or otherwise block access. In other words, the attack “locks you out” of your device – or all devices on the network. Once that is accomplished, the cybercrook demands a payment (ransom) with the threat the failure to pay will result in destruction of the data, or disclosure of the personal or financial information of the organization or third parties to other criminals. A derivative of this type of attack could involve theft of sensitive data or third-party information, again with the threat that the cybercrook will disclose it to criminals if the ransom payment is not made.

Theft –

Attacks of this type can take one of several forms; the first category is theft by deception.  Here the cybercrook’s goal is to convince you that they are someone else and deceive you into the sending them money or valuable information (e.g., credit card or bank account numbers – or passwords to protected networks). The “great-grandfather” of these types of attack is the infamous “Nigerian prince email”  (send a relatively small amount of money to aid a Nigerian prince to gain access to a far greater sum that will be shared with the victim). Surprisingly, even though this ruse has been around for decades, it still is used to steal hundreds of thousands of dollars each year. Maybe you like to use the term phishing somewhere because that was one of the most common attacks in 2022.

These types of attacks have greatly evolved over the years. More sophisticated versions used today involve using false credentials and other nefarious approaches to impersonate a known person or business. These are used to trick the unsuspecting into sending money to the cybercrook. The attack is successful because the request itself seems reasonable, such as an email request to move funds from a finance officer or for payment of an invoice from a trusted supplier. At times stolen emails are used, making it impossible to determine from the communication that it is illegitimate, unless the recipient decides to verify its authenticity by phone or some other communication. A second class of theft by deception cyberattacks seek is disclosure of valuable private information (e.g., credit card, bank account information, email passwords, etc.) in lieu of requests to transfer funds.

Sometimes the objective of a cyberattack may not be money or data, but instead use of your computer itself. Cryptojacking is the most common objective of these attacks. Here the cybercrook seeks access to your computer or networks so that it can use the hardware for “crypto mining” – solving extremely complex mathematical equations to create digital currency. While it may seem farfetched to you that your small organization might be subject to this type of attack, it should not be discounted. A 2021 report on cyber security threats prepared by Cisco found that nearly 70% of organizations studied had at least one computer that had been successfully “highjacked” for use in an illegal crypto mining operation.

This is not a victimless crime; unauthorized crypto mining can greatly reduce the efficiency and useful life of computers and related hardware and result in higher electricity bills. More troubling, since the cybercrook can only highjack your machine by placing software on it, these cyberattacks also usually involve other objectives, such as eventually triggering ransomware or steeling confidential data as well. 

Monitoring — Exploitation –

This last category of cyberattack (monitoring and exploitation) typically is undertaken in advance, or in conjunction with one of the others, such as extortion or theft. However, sometimes the cybercrook’s initial goal is simply to gain access in order to eavesdrop and monitor your organization’s online activity. The individual behind the attack might just be a maladjusted “cyber-voyeur” who enjoys the thrill of breaking into and looking at things that are none of their business. On the other hand, news reports regularly surface stories of state-sponsored cyberterrorist attacks that target government websites for purposes of espionage. However, the greatest risk to your organization posed by this form of attack is likely to be that it allows the cybercrook access to confidential information that can be used and exploited at a later date.  

How is a cyberattack carried out?

All digital devices use computer programs (drivers, apps, software, algorithms etc.) to operate. These programs are used let us communicate via video or audio, monitor business inventory, transfer funds and process credit card payments, create and transmit email and text, and perform many other tasks that keep our organizations running. To achieve the one or more of the purposes of the cyberattack, the attacker has to gain access and, in some cases, to add a program or modify an existing program on the LAN or on a computer or other device that is connected to the LAN. These programs or program modifications are referred to generally as “malware,” and they include “viruses, tojans, adware and ransomware.

You may think that this occurs only through highly sophisticated exploitation of a flaw in the device’s operating  system, undertaken without any action on your part. However, while there have been successful attacks of this type in the past, readily available network and computer defenses make this much less likely today, particularly if existing software is regularly updated.

While the computer algorithm  or “malware” used to implement a successful cyberattack may be complex, according to the 2021 Cisco report previously mentioned,  9 times out of 10 those algorithms were introduced to your computer or network by actions taken by you or someone in your organization! Further, while it is certainly possible for a cyberattack to be initiated by a disgruntled current or former employee with physical or remote access to your organization’s network, it is far more likely that access will be unwittingly granted simply by opening an attachment on an email, clicking on a link in a text or on a website, or simply replying to a seemingly legitimate request from a customer or colleague.

This method of attack is generally referred to as phishing (pronounced “fishing”) and there are many variations.  However, the objective of all these attacks is to trick the recipient into taking some action that enables the malicious program to be downloaded so that the attack can proceed. The objective of the attack itself might involve any one of the three objectives described above. There are many examples and derivatives of phishing  as well as sites that offer cues you can use to recognize and avoid them.

A second less common, but effective means of launching a cyberattack can occur when the attacker intercepts and accesses a wireless network connection. This wireless connection could be the wireless modem used to connect devices at your place of business, or it could be the public wireless network at the airport, coffee shop or Walmart parking lot. In each case the cybercrook uses various means to cause your device to communicate unencrypted information, so that it can be read and later exploited.

Is there any way to defend against a cyberattack?

This blog is by no means an exhaustive discussion of the types of cyberattacks. There are others. However, those discussed do comprise the most common small organizations face. The bad news is that these attacks continue, and are becoming more sophisticated. The good news is that with a little planning and thought you can greatly reduce your risk of becoming a victim.

Part 2 of this blog will describe a strategy your organization can use to develop a cybersecurity plan that will minimize your risks, and speed recovery even in the event of a successful cyberattack.