Do You Have a Cybersecurity Program for Your Small/Medium Business?

As a small/medium business owner or manager, it is imperative that you have an awareness of cybersecurity related-risks and implement infrastructure and processes to mitigate those risks.  According to Verizon’s 2018 Data Breach Investigations Report, 58% of breach victims are categorized as small businesses.  Roughly 75% of these breaches are perpetrated by outsiders, while approximately 25% of from insiders. Some of the techniques utilized to breach computer systems include hacking, malware (malicious software), social attacks, inappropriate privileges, malicious errors, and physical intrusions.

Essential Cybersecurity Awareness and Implementation

We refer to various industry standards and rulings as guides to instituting appropriate security-focused infrastructure and processes.   These include guidelines from organizations such as the National Institute of Standards and Technology (NIST), SANS Institute, and the Center for Internet Security (CIS).  NIST, a part of the U.S. Department of Commerce, provides practical cybersecurity and privacy methods through standards and best practices.  The SANS Institute is a private U.S. for-profit company that specializes in information security, cybersecurity training, and certificates. The Center for Internet Security (CIS) is a non-profit organization that develops, validates, and sustains best practice solutions for cyber defense. Its members include large corporations, government agencies, and academic institutions.

Additionally, we point out various regulatory requirements – such as the New York State Cybersecurity Requirements for Financial Institutions.  Also, we refer to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The New York State Department of Financial Services (“DFS”) has been monitoring the ever-growing cyber threats posed to information and financial systems.  As a result, New York State has issued certain regulatory standards to facilitate cybersecurity programs that match the relevant risks, while keeping pace with technological advances.  These standards are designed to protect the information systems of financial entities and customer information.  Consequently, we use these regulations as a guide for a broad range of small/medium businesses, in addition to financial institutions.

HIPAA is United States legislation that provides data privacy and security provisions for safeguarding medical information.  The Security Ruling associated with these regulations is focused on the protection of electronic protected health information (ePHI), which is typically held by healthcare organizations and other entities that maintain and share patient records.

Industry Standards Offer Guidelines for SMB Cybersecurity

The NIST Cybersecurity Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk.  It is a cost-effective approach that helps to protect critical infrastructure.  The Framework facilitates the ability of organizations to describe their current and target cybersecurity posture.  It enables prioritization of opportunities for improvement and monitoring progress towards the target environment.  Additionally, it establishes communication with internal and external stakeholders regarding cybersecurity risk.

The NIST Framework Core provides a set of activities to achieve specific cybersecurity outcomes.  The five Framework Core functions are:

1. Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Categories include asset management, business environment, governance, risk assessment, and risk management strategy.
2. Protect – Develop and implement appropriate safeguards to ensure delivery of critical services. Categories are identity management and access control, awareness and training, data security, information protection, maintenance, and protective technology.
3. Detect – Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. Category examples include anomalies and events, security continuous monitoring, and detection processes.
4. Respond – Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. Categories involve response planning, communications, analysis, mitigation, and improvements.
5. Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore capabilities or services that were impaired due to a cybersecurity incident.  Recovery planning, improvements, and communications are examples of categories within this function.

The SANS Institute initially developed the SANS Top 20 Security Controls, which were adopted by the Center for Internet Security.  By using these controls, both large and small organizations can prevent the majority of cyber-attacks.  A recognized industry study showed that 85% of attacks can be prevented by adopting just the first five controls.  Additionally, the study showed that approximately 97% of attacks can be prevented by adopting all 20 controls.

As examples, the following are the CIS Top 5 Security Controls:

1. Inventory and Control of Hardware Assets

This control is particularly important, as attackers continuously scan the address space of target organizations, searching for new and possibly unprotected systems.  An active discovery tool should be used to identify devices connected to the organization’s network and update the hardware asset inventory.  Also, an up-to-date inventory of information-storing or processing technology assets not connected to the network should be maintained as well.  Inventory management is also important for planning and executing system backup, incident response, and recovery.

2. Inventory and Control of Software Assets

This control involves actively managing all software on the network so that only authorized software is installed and usable.  As with hardware, attackers continuously scan target organizations seeking vulnerable versions of the software.  With complete software inventories, systems running vulnerable or malicious software can be identified to mitigate the risk of attacks.  Additionally, managing software is critical to system backup, incident response, and recovery.  Software inventory tools should be used to automate the documentation of software.  Also, application whitelisting technology can be used to ensure that only authorized software executes.

3. Continuous Vulnerability Management

This control is associated with identifying and remediating vulnerabilities.   Organizations should be scanning for vulnerabilities and proactively be addressing discovered flaws.  Companies should utilize a SCAP-compliant vulnerability scanning tool on a regular basis.  SCAP (Security Content Automation Protocol) is a method with specific standards that enable automated vulnerability management, measurement, and policy compliance.

4. Controlled Use of Administrative Privileges

Administrative privileges on computers, networks, and applications need to be controlled, as misuse is a target of attackers.  Control is accomplished through the use of tools that track and control the use and assignment of administrative privileges.  Sometimes privileged users are tricked into accessing malicious attachments, files, or websites which enable attackers to find administrative passwords or other sensitive data.  All users with administrative account access should use a dedicated account for their privileged activities.  This dedicated account should not be used for Internet browsing, email, or other non-privileged activities.

5. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Mobile devices, laptops, servers, and workstations should be managed using a rigorous configuration management and change control process.  This management is designed to prevent attackers from exploiting vulnerable services and settings.  Default configurations for equipment, operating systems and applications are typically set up for ease-of-deployment rather than security.  Establishing configuration settings with good security properties is a complex process requiring skilled technical capabilities.  Initial configurations must be continually managed to avoid security degradation as software is updated or patched.  Configuration standards for all operating systems and software should be documented.

Regulatory Environment Provides Roadmap and Rulings for Cybersecurity

The New York State Cybersecurity Requirements for Financial Institutions serves as a guide for SMBs, both within and outside of the financial services industry.  The regulation requires each company to assess its specific risk profile and design a program that addresses its risks.  The program should protect the confidentiality, integrity, and availability of the company’s information systems. This includes the protection of non-public information including business information that, if disclosed, could cause a material adverse impact on the business, including its operations or security.  Individual sensitive information must also be protected including data such as social security number, driver’s license number, bank account number, credit card number, or passwords.  Senior management must take responsibility for the company’s cybersecurity program with annual confirmation of compliance.  The cybersecurity program is designed to ensure the safety and soundness of the company, while protecting its customers.  The cybersecurity program will perform the following functions:

1. Identify and assess internal and external cybersecurity risks that may threaten the security or integrity of non-public information on the company’s information systems
2. Use defensive infrastructure, policies, and procedures to protect information systems
3. Detect cybersecurity events
4. Respond to cybersecurity events to mitigate negative effects
5. Recover from cybersecurity events and restore normal operations
6. Fulfill applicable regulatory reporting requirements

Written policies and procedures are required to be approved by a senior officer addressing the following areas:

1. Information security
2. Data governance
3. Asset inventory
4. Access controls
5. Business continuity and disaster recovery planning
6. System operations and availability
7. Systems and network security and monitoring
8. Systems and application development and quality assurance
9. Physical security
10. Customer data privacy
11. Vendor and third-party service provider management
12. Risk assessment
13. Incident response

SMBs should designate a qualified person as a Chief Information Security Officer (CISO) who is responsible for implementing and enforcing a cybersecurity program.  In many cases, SMBs outsource CISO responsibilities to a third-party service provider to obtain the necessary skills and experience. The cybersecurity program should include monitoring and testing, in accordance with a documented risk assessment.  Additionally, audit trails should be maintained of cybersecurity events that could materially harm normal operations.  Company personnel should periodically receive cybersecurity awareness training.  Enhanced security measures such as multi-factor authentication and encryption should be considered when providing access to non-public information.

A cybersecurity program should include a written incident response plan designed to facilitating prompt response, notification, and recovery from a cybersecurity event that materially impacts the organization.

The HIPAA Security Rule is part of the regulations issued by the Secretary of the U.S. Department of Health and Human Services (HHS) that protect the privacy and security of certain health information.  The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information.  The Security Rule established national standards for the protection of electronic protected health information (ePHI).  Within HHS, the Office for Civil Rights (OCR) enforces the Privacy and Security Rules through voluntary compliance activities and civil monetary penalties.

The Security Rule requires organizations dealing with ePHI to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI.  Considerations in deciding what security measures to use include:

1. Size, complexity, and capabilities of the organization
2. Technical, hardware, and software infrastructure
3. Costs of security measures
4. Likelihood and possible impact of potential risks to ePHI

Organizations responsible for following the Security Rule (mostly “covered entities”) are required to perform periodic risk assessments of their security management processes.  As part of the risk assessment, security measures are documented including supporting rationale.  The risk assessments should be performed on an ongoing periodic basis, reevaluating ePHI access, incidents, effectiveness, and risks.

Covered entities must designate a security official who develops and implements security policies and procedures.  The designated security official can be supplemented with third-party HIPAA-qualified personnel to obtain the necessary technical and compliance knowledge and capabilities.  Also, covered entities must train all workforce members regarding its security policies and procedures.  Training must be supplemented with appropriate enforcement and sanction practices for workforce members who violate its security policies and procedures.

Further HIPAA Security Rule provisions include facility physical access and control, workstation and device security, ePHI access policies and procedures, and information systems audit controls.

Customize Your SMB Cybersecurity Program

Industry standards and the security regulatory environment provide SMBs with a menu of suggested and sometimes mandated actions for implementing a cybersecurity program.  It is evident that there are much overlap and consistency to the key ingredients of each of these programs.  The key takeaway is that SMB owners and managers must have an awareness of the recommended and required actions.  With awareness, responsible cybersecurity actions must be decided upon and implemented to protect the SMB business, its customers, and affiliates.

If you aren’t sure your current IT company is protecting your business computer network from cyber attacks, perhaps it’s time for a better solution provider. Contact powersolution.com at (855) 551-7760 ext 311 to book your Strategic Technology Planning or Cybersecurity overview session.

We know our award-winning, local IT company would be a great fit for your business’ IT goals and needs.