Small
Business Information Security:
The
Fundamentals
This
publication is available free of charge from:
https://doi.org/10.6028/NIST.IR.7621r1
November
2016
3
Safeguarding Your Information
This publication uses the Framework
for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity
Framework”) to organize the processes and tools that you should consider to
protect your information [CSF14]. Appendix C contains more information about
the Cybersecurity Framework. This is not a one-time process, but a continual,
on-going set of activities. Although the Cybersecurity Framework was originally
developed specifically for critical infrastructure organizations, it has proven
useful to a variety of audiences as it provides a simple, common language for
helping organizations to identify, assess, and manage cybersecurity risks.
This
section provides activities you can implement in your business. In addition,
Section 4 of this publication lists some common practices you and your
employees can implement to help keep your business safe. The specific
mitigation activities in this section are grouped into the five broad
categories of the Cybersecurity Framework, as pictured in Figure 3. Some of the
activities in this publication are suggestions for consideration. This means
that those activities are recommended when a higher level of assurance
(confidentiality, integrity, or availability) is needed to protect the
information and meet business needs than is provided by the more basic
practices.
IDENTIFY
⇙ ⇘
RECOVER PROTECT
⇓ ⇓
RESPOND ⇔ DETECT
RECOVER PROTECT
⇓ ⇓
RESPOND ⇔ DETECT
Figure
3: The
Cybersecurity Framework Categories
3.1 Identify
As described in the
Cybersecurity Framework, the activities in the Identify Function help increase
an organization’s understanding of their resources and risks.
• Identify and control who has access to your business
information
Determine who has or
should have access to your business’s information and technology. Include
whether or not a key, administrative privilege, or password is required. To
help collect this information, review your list of accounts and what privileges
those accounts have.
Be aware of anyone who has access to your business. Do not allow
unknown or unauthorized persons to have physical access to any of your business
computers. This includes cleaning crews and maintenance personnel. Do not allow
computer or network repair personnel to work on systems or devices
unsupervised. No unrecognized person should be able to enter your office space
without being questioned by an employee. If a criminal gains physical access to
an unlocked machine, they can relatively easily steal any private or sensitive
information on that machine.Physically lock up your laptops and other mobile
devices when they are not in use. You should also utilize the session lock
feature included with many operating systems, which locks the screen if the
computer is not used for a specified period of time (e.g. 2 minutes). Use a
privacy screen or position each computer’s display so that people walking by
cannot see the information on the screen.
• Conduct Background Checks
Do a full,
nationwide, criminal background check, sexual offender check, and if possible a
credit check on all prospective employees (especially if they will be handing
your business funds). You can request one directly from the FBI or an
FBI-approved Channeler [FBI].
In addition,
consider doing a background check on yourself. Many people become aware that
they are victims of identity theft only after they do a background check on
themselves and find reported arrest records and unusual previous addresses
where they never lived. This can be an indication that your identity has been
stolen.
If prospective employees are applying for a job with educational
requirements, call the schools they attended and verify their actual degree(s),
date(s) of graduation, and GPA(s). If they provided references, call those
references to verify the dates they worked for a company and other specifics to
ensure the employee is being honest.
• Require individual user accounts for each employee.
Set up a separate
account for each user (including any contractors needing access) and require
that strong, unique passwords be used for each account. Without individual
accounts for each user, you may find it difficult to investigate data loss or
unauthorized data manipulation. Ensure that all employees use computer accounts
without administrative privileges to perform typical work functions. This will
hinder any attempt—intentional or not—to install unauthorized software. Consider
using a guest account with minimal privileges (e.g. internet access only) if
needed for your business.
•
Create policies and procedures for information security
Policies and
procedures are used to identify acceptable practices and expectations for business
operations, can be used to train new employees on your information security
expectations, and can aid an investigation in case of an incident. These
policies and procedures should be readily accessible to employees – such as in
an employee handbook or manual.
The scope and
breadth of policies is largely determined by the type of business and the
degree of control and accountability desired by management. Have a legal
professional familiar with cyber law review the policies to ensure they are
compliant with local laws and regulations.
Policies and
procedures for information security and cybersecurity should clearly describe
your expectations for protecting your information and systems. These policies
should identify the information and other resources that are important and
should clearly describe how management expects those resources to be used and
protected by all employees. See Appendix E for sample policy and procedure
statements. Other examples are readily available online or a legal, insurance,
or cybersecurity professional may have example policies.
All employees
should sign a statement agreeing that they have read the policies and relevant
procedures, that they will follow the policies and procedures. If there are
penalties associated with the policies and procedures, employees should be
aware of them. The signed agreement should be kept in the employee’s HR file.
Policies and procedures should be reviewed and updated at least
annually and as there are changes in the organization or technology. Whenever
the policies are changed, employees should be made aware of the changes and
sign the new policy acknowledging their understanding. This can be done in
conjunction with annual training activities (see Section 3.2).
3.2 Protect
The Protect Function supports the ability to limit or contain the
impact of a potential information or cybersecurity event.6
• Limit employee access to data and information
Where possible, do
not allow any employee to have access to all of the business’s information or
systems (financial, personnel, inventory, manufacturing, etc)7. Allow employees
to access only those systems and only the specific information that they need
to do their jobs. Likewise, do not allow a single individual to both initiate
and approve a transaction (financial or otherwise). This includes executives
and senior managers.
Insiders – employees or others who work for a business – are a
main source of security incidents. Because they are already
known, trusted, and have been given access to important business information
and systems, they can easily harm the business (deliberately or
unintentionally). Unfortunately, these types of events can be difficult to
detect, so protecting against them is very important.
When an employee
leaves the business, ensure they no longer have access to the business’s
information or systems. This may involve collecting their business ID, deleting
their username and account from all systems, changing any group passwords or
combination locks they may have known, and collecting any keys they were given.
• Install Surge Protectors and Uninterruptible Power Supplies
(UPS)
Surge protectors
prevent spikes and dips in power from damaging your electronic systems.
Uninterruptible Power Supplies (UPS) provide a limited amount of battery power
to allow you to work through short power outages and provide enough time to
save your data when the electricity goes off. UPS’s often provide surge
protection as well. The size and type of UPS should be sufficient to meet the
needs of your particular business.
Ensure each of your computers and critical network devices are
plugged into a UPS. Plug less sensitive electronics into surge protectors. Test
and replace UPSs and surge protectors as recommended by the manufacturer.
• Patch your operating systems and applications
Any software
application including operating systems, firmware, or plugin installed on a
system could provide the means for an attack. Only install those applications
that you need to run your business and patch/update them regularly. Many
software vendors provide patches and updates to their supported products in
order to correct security concerns and to improve functionality. Ensure that
you know how to update and patch all software on each device you own or use.
When you purchase
new computers, check for updates immediately. Do the same when installing new
software. You should only install a current and vendor-supported version of
software you choose to use. Vendors are not required to provide security
updates for unsupported products. For example, Microsoft ended support for
Windows XP on April 8, 2014 and no new patches will be provided for that
operating system, even though it has known vulnerabilities [Msoft WLFS].
It may be useful to
assign a day each month to check for patches. There are products which can scan
your system and notify you when there is an update for an application you have
installed. If you use one of these products, make sure it checks for updates
for every application you use. You can check for updates directly with the
original manufacturers of the applications you have installed.
• Install and activate software and hardware firewalls on all
your business networks
Firewalls can be used to block unwanted traffic such as known
malicious communications or browsing to inappropriate websites, depending on
the settings. Install and operate a hardware firewall between your internal
network and the Internet. This may be a function of a wireless access
point/router, or it may be a function of a router provided by the Internet
Service Provider (ISP) of the small business. There are many hardware vendors
that provide firewall wireless access points/routers, firewall routers, and
separate firewall devices. Ensure there is antivirus software installed on the
firewall.
For these devices, change the administrative password upon
installation and regularly thereafter. Consider changing the administrator’s
log-in as well. The default values are typically known or easily guessed, and,
if not changed, may allow hackers to control your device and thus, to monitor
or record your communications and data via the Internet.
In addition, install, use, and regularly update a software firewall
on each computer system used in your small business (including smart phones and
other networked devices if possible). If given the option, ensure logging is
enabled which will aid in the investigation of an event by providing evidence.
Many operating systems include a firewall, but you should ensure that the
firewall is operating and logging activity.
You
should only use a current (updated), authentic, and vendor-supported version of
the hardware and software firewall.
It
is necessary to have firewalls on each of your computers and networks even if
you use a cloud service provider or a virtual private network (VPN). If
employees are allowed to do any kind of work at home, ensure that their home
network and systems have hardware and software firewalls installed and
operational, and that they are regularly updated.
In
addition to a basic hardware firewall, you may want to consider installing an
Intrusion Detection / Prevention System (IDPS). These devices analyze network
traffic at a more detailed level and can provide a greater level of protection.
• Secure your
wireless access point and networks
If you use wireless networking, set up
your router as follows (view the owner’s manual for directions on how to make
these changes):
-
Change the administrative password that was on the device when you received it.
-
Set the wireless access point so that it does not broadcast its Service Set
Identifier (SSID).
-
Set your router to use WiFi Protected Access 2 (WPA-2), with the Advanced
Encryption Standard (AES) for encryption. Do not use WEP (Wired-Equivalent
Privacy) as it is not considered secure!
If
your business provides wireless internet access to customers, ensure that it is
separated from your business network.
Avoid
connecting to unknown or unsecured / guest wireless access points, even for
performing non-business activities. Access only those wireless access points
that you own or trust (i.e. are assured of their security).
If
you or your employees must connect to unknown networks or conduct work from
home, you may want to consider implementing an encrypted virtual private
network (VPN) capability, which will allow for a more secure connection.
• Set up web
and email filters
Email
filters can help remove emails known to have malware attached and prevent your
inbox from being cluttered by unsolicited and undesired (i.e. “spam”) email.
Email providers may offer this capability. If your business hosts your own
email servers, use filtering if possible.
Similarly,
many web browsers allow web filtering – notifying the user if a website may
contain malware and potentially preventing them from accessing that website.
Enable this option if available.
You
may want to consider blocking employees from going to websites that are
frequently associated with cybersecurity threats. This may include sites with
pornographic content or social media. This can help prevent employees from
accidentally downloading malware, wasting business resources, and conducting
illicit activity using business resources. Many firewalls and routers can be
set up to block certain addresses (blacklist), or allow only certain addresses
(whitelist). Blacklists can be downloaded online or obtained as part of a
service.
• Use
encryption for sensitive business information
Encryption
is a process of making your electronically stored information unreadable to
anyone not having the correct password or key9. Use full-disk encryption—which
encrypts all information on the storage media – on all of your computers,
tablets, and smart phones. Many systems come with full-disk encryption
capabilities. Not all mobile devices provide this capability.
Do
not forget your encryption password or key! If you lose or forget your
key, you will lose your information. Save a copy of your encryption password or
key in a secure location separate from where your backups are stored.
If,
in your business, you send sensitive documents or emails, you may want to
consider encrypting those documents and/or emails. Many document, and email
applications provide for this capability. Typically, the receiver will need to
have the same application to de-crypt the message or document as you used to
encrypt it. If you need to send them a password or key, give it to them via
phone or other method. Never send it in the same email as the encrypted
document.
• Dispose of
old computers and media safely
Small businesses may sell, throw away,
or donate old computers and media. When disposing of old business computers,
first electronically wipe the hard drive(s). Many operating systems provide
this capability and there are several downloadable applications that can also
do this. If you can’t wipe the hard drive for any reason, consider degaussing
the hard drive.
After
wiping the hard drive(s), remove them and have them physically destroyed. You
can sell, donate, or recycle the machine after the hard drive has been removed.
Many companies will crush or shred them for you. Consider choosing companies
that will allow you to watch the process.
Install
a remote-wiping application on your computer, tablet, cell phone, and other
mobile device. If the device is lost or stolen, you can use these applications
wipe all information from the device.
When
disposing of old media (CDs, floppy disks, USB drives, etc), first delete any
sensitive business or personal data. Then destroy the media either by shredding
it or taking it to a company that will shred it for you. When disposing of
paper containing sensitive information, destroy it by using a crosscut
shredder.
You
may want to consider incinerating paper and other media that contains very
sensitive information.
• Train your
employees
Train
employees immediately when hired and at least annually thereafter about your
information security policies and what they will be expected to do to protect
your business’s information and technology. Ensure they sign a paper stating
that they will follow your policies, and that they understand the penalties for
not following your policies.
Train employees on the following:
• What they are allowed to use business computers
and mobile devices for, such as if they are allowed to use them to check their
personal email.
• How they are expected to treat customer or
business information, for example whether or not they can take that information
home with them.
• What to do in case of an emergency or security
incident (see Section 3.4).
• Basic practices as contained in Section 4 of this
document.
You may be able to obtain training
from various organizations, such as your local Small Business Development
Center (SBDC), SCORE Chapter, community college, technical college, or
commercial training vendors. In addition, the Small Business Administration
(SBA) and Federal Trade Commission (FTC) produce videos and topic-specific tips
and information which can be used for training [SBA LC] [FTC].
Continually
reinforce the training in everyday conversations or meetings. Monthly or
quarterly training, meetings, or newsletters on a specific subject can help
reinforce the importance of security and develop a culture of security in your
employees and in your business.
3.3 Detect
The activities under the Detect Function enable timely discovery
of information security or cybersecurity events.
•
Install and update anti-virus, -spyware, and other –malware programs
Malware (short for
Malicious Software or Malicious Code) is computer code written to steal or harm10.
It includes viruses, spyware, and ransomware. Sometimes malware only uses up
computing resources (e.g. memory), but other times it can record your actions
or send your personal and sensitive information to cyber criminals.
Install, use, and
regularly update anti-virus and anti-spyware software on every device used in
your business (including computers, smart phones, and tablets).
It may be useful to
set the anti-virus and anti-spyware software to automatically check for updates
at least daily (or in “real-time”, if available), and then set it to run a
complete scan soon afterwards. Many businesses run their anti-virus programs at
some scheduled time each night (e.g. 12:00 midnight) and schedule a virus scan
to run about half an hour later (e.g. 12:30 am); then they run their
anti-spyware software (e.g. 2:30 am) and run a full system scan (e.g. 3:00 am).
This assumes that you have an always-on, high-speed connection to the Internet.
Regardless of the actual scheduled times for the above updates and scans, schedule
them so that only one activity is taking place at any given time.
If your employees
do any work from home computers or personal devices, obtain copies of your
business anti-malware software for those systems or require your employees to
use anti-virus and anti-spyware software.
You may want to consider using two different anti-virus solutions
from different vendors. This can improve the chances a virus will be detected.
Often routers, firewalls, and Intrusion Detection / Prevention Systems will have
some anti-virus capabilities, but these should not be exclusively relied upon
to protect the network.
• Maintain and monitor logs
Protection
/ detection hardware or software (e.g. firewalls, anti-virus) often has the
capability of keeping a log of activity. Ensure this functionality is enabled
(check the operating manual for instructions on how to do this). Logs can be
used to identify suspicious activity and may be valuable in case of an
investigation. Logs should be backed up and saved for at least a year; some
types of information may need to be stored for a minimum of six years11.
You
may want to consider having a cybersecurity professional review the logs for
any unusual or unwanted trends, such as a large use of social media websites or
an unusual number of viruses consistently found on a particular computer. These
trends may indicate a more serious problem or signal the need for stronger
protections in a particular area.
3.4 Respond
The
Respond Function supports the ability to contain or reduce the impact of an
event.
• Develop a
plan for disasters and information security incidents
Develop
a plan for what immediate actions you will take in case of a fire, medical
emergency, burglary, or natural disaster.
The
plan should include the following:
• Roles and Responsibilities.
This includes who makes the decision to initiate recovery procedures and who
will be the contact with appropriate law enforcement personnel
•
What to do with your information and information systems in case of an
incident. This includes shutting down or locking computers, moving to a
backup site, physically removing important documents, etc.
• Who to call in case of an
incident. This should include how and when to contact senior executives,
emergency personnel, cybersecurity professionals, legal professionals, service
providers, or insurance providers. Be sure to include relevant contact
information in the plan.
Many states have “notification laws,”
requiring you to notify customers if there is a possibility any of their
information was stolen, disclosed, or otherwise lost. Make sure you know the
laws for your area and include relevant information in your plans.
Include
when to notify appropriate authorities. If there is a possibility that any
personal information, intellectual property, or other sensitive information was
stolen, you should contact your local police department to file a report. In
addition, you may want to contact your local FBI office [DoJ15].
• Types of activities that
constitute an information security incident. This should include activities
such as your business website being down for more than a certain length of time
or evidence of information being stolen.
You may want to consider developing
procedures for each job role that describe exactly what the employee in that
role will be expected to do if there is an incident or emergency. Appendix E
discusses what a procedure document should contain.
3.5 Recover
The Recover Function helps an
organization resume normal operations after an event.
• Make full backups of important business data/information
Conduct a full, encrypted backup of
the data on each computer and mobile device used in your business at least once
a month, shortly after a complete virus scan. Store these backups away from
your office location in a protected place so that if something happens to your
office (fire, flood, tornado, theft, etc), your data is safe. Save a copy of
your encryption password or key in a secure location separate from where your
backups are stored.
Backups will let you restore your data
in case a computer breaks, an employee makes a mistake, or a malicious program
infects your system. Without data backups, you may have to recreate your
business information manually (e.g. from paper records). Data that you should
backup includes (but is not limited to) word processing documents, electronic
spreadsheets, databases, financial files, human resources files, accounts
receivable/payable files, system logs, and other information used in or
generated by your business. Back up only your data, not the software
applications themselves.
You can easily store backups on
removable media, such as an external USB hard drive, or online using a Cloud
Service Provider. If you choose to store your data online, do your due
diligence when selecting a Cloud Service Provider. It is recommended that you
encrypt all data prior to storing it in the Cloud.
If
you use a hard drive, ensure it is large enough to hold all of your monthly
backups for a year. It is helpful to create a separate folder for each of your
computers. When you connect the external disk to your computer, to make your
backups, copy your data into the appropriate designated folder.
Test your backups immediately after
generating them to ensure that the backup was successful and that you can
restore the data if necessary.
• Make incremental backups of important business
data/information
Conduct an automatic incremental or
differential backup of each of your business computers and mobile devices at
least once a week. This type of backup only records any changes made since the
last backup. In some cases, it may be prudent to conduct backups every day or
every hour depending on how much information is changed or generated in that
time and the potential impact of losing that information. Many security
software suites offer automated backup functions that will do this on a regular
schedule for you.
These backups should be stored on:
• removable
media (e.g. external hard drive);
• a separate
server that is isolated from the network, or
• online storage
(e.g. a cloud service provider).
In general, the storage device should
have enough capacity to hold data for 52 weekly backups15, so its size should
be about 52 times the amount of data that you have. Remember this should be
done for each of your computers and mobile devices. You may choose to store
your backups in multiple locations (e.g. one in the office, one in a safety
deposit box across town, and one in the cloud). This provides additional
security in case one of the backups becomes destroyed.
Periodically test your backed up data
to ensure that you can read it reliably. If you don’t test your backups, you
will have no grounds for confidence that you can use them in the event of a
disaster or security incident.
You
may want to consider encrypting your backups. Many software applications will
allow you to encrypt your backups. This provides an added layer of security and
is important if your backups contain any sensitive personal or business
information. Make sure to keep a copy of your encryption password or key in a
secure location separate from where you keep your backups.
• Consider cyber insurance
Cyber insurance is similar to other
types of insurance (e.g. flood, fire) that you may have for your business.
Cyber insurance may help you respond to and recover from a security incident.
In some cases, cyber insurance companies may also provide cybersecurity expertise
and help you identify where you are vulnerable, what kinds of actions you need
to take to protect your systems, and help you investigate an incident and
report it to appropriate authorities.
As you might with any type of
insurance, perform due-diligence when considering cyber insurance. Determine
your risks (see Section 2) before purchasing a policy. Research the company
offering protection, the services they provide, the type of events they cover,
and ensure that they have a good reputation and will be able to meet their
contractual agreement.
• Make improvements to processes / procedures / technologies
Regularly
assess your processes, procedures, and technology solutions according to your
risks (see Section 2). Make corrections and improvements as necessary.
You
may want to consider conducting training or table-top exercises which simulate
or run-through a major event scenario in order to identify potential weaknesses
in your processes, procedures, technology, or personnel readiness. Make
corrections as needed.
Следва публикуване на част 4: Working Safely and Securely
Няма коментари:
Публикуване на коментар