Информационна сигурност за малкия и среден бизнес

Small Business Information Security:

The Fundamentals

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.7621r1

November 2016

4 Working Safely and Securely

Many incidents can be prevented by practicing safe and secure business habits. Unlike the previous section, which looked at programmatic steps you can take within your business, this section focuses on every-day activities you and your employees can do to help keep your business safe and secure. While criminals are becoming more sophisticated, most criminals still use well-known and easily avoidable methods. This section provides a list of recommended practices to help protect your business. Each employee should be trained to follow these basic practices.

• Pay attention to the people you work with and around

Get to know them and maintain contact with your employees, including any contractors your business or building may employ (e.g. for cleaning, security, or maintenance).16 Watch for unusual activity or warning signs such as the employee mentions financial problems, begins working strange hours, asks for a lot of overtime, or becomes unusually secretive. In most cases, this activity is benign, but occasionally it can be an indicator that the employee is or may begin stealing information or money from the business, or otherwise damaging the company.

Watch for unusual activity near your place of business or in your industry. Similarly, know if other businesses in your area perform any activities which may pose an environmental or safety risk. An event that affects your neighbors may affect your business as well, or indicate new risks in your area, so it is important to remain aware.

• Be careful of email attachments and web links

One of the more common means of distributing malware is via email attachments or links embedded in email. Usually the malware is attached to emails that pretend to be legitimate or from someone you know (“phishing” or “spear phishing” attacks). Links and attachments can be disguised to appear legitimate but in reality download malware onto your computer.

Do not click on a link or open an attachment that you were not expecting. If it appears important, call the sender to verify they sent the email and ask them to describe what the attachment or link is.

Before you click a link (in an email or on social media, instant messages, other webpages, or other means), hover over that link to see the actual web address it will take you to (usually shown at the bottom of the browser window). If you do not recognize or trust the address, try searching for relevant key terms in a web browser. This way you can find the article, video, or webpage without directly clicking on the suspicious link. Train employees to recognize phishing attempts and who to notify when one occurs.

• Use separate personal and business computers, mobile devices, and accounts

As much as possible, have separate devices and email accounts for personal and business use. This is especially important if other people such as children use your personal devices. Do not conduct business or any sensitive activities (e.g. online business banking) on a personal computer or device and do not engage in activities such as web surfing, gaming, downloading videos, etc., on business computers or devices. Do not send sensitive business information to your personal email address.

Personal or home computers and electronics may be less secure than business systems. Personal devices may be used for web surfing to untrustworthy sites and have untrustworthy applications installed such as games which are not required for work and which add vulnerabilities that a hacker could exploit.

Some businesses may want to consider using a separate computer that is not connected to any network for certain business functions or for extremely sensitive information. Because most cyber attacks require network connectivity, disconnecting extremely sensitive information from the network prevents these kinds of attacks.

• Do not connect personal or untrusted storage devices or hardware into your computer, mobile device, or network.

Do not share USB drives or external hard drives between personal and business computers or devices. Do not connect any unknown / untrusted hardware into your system or network and do not insert any unknown CD, DVD, or USB drive. These devices may have malware on them. Criminals are known to place USB drives in public places where their target business’s employees gather, knowing that curious individuals will pick them up and plug them in. What is on them is generally malware which will spy on or take control of the computer.

Disable the AutoRun feature for the USB ports and optical drives like CD and DVD drives on your business computers to help prevent such malicious programs from installing on your systems.

• Be careful downloading software

Do not download software from an unknown web page.

Only those web pages belonging to reputable businesses with which you have a business relationship should be considered reasonably safe for downloading software.

Be very careful if you decide to download and use freeware or shareware. Most of these do not come with technical support and some do not have the full functionality you might believe will be provided.

 Do not give out personal or business information

Social engineering is an attempt to obtain physical or electronic access to your business information by manipulating people. A very common type of attack involves a person, website, or email that pretends to be something it’s not. A social engineer will research your business to learn names, titles, responsibilities, and any personal information they can find. Afterwards, the social engineer usually calls or sends an email with a believable, but made-up, story designed to convince the person to give them certain information.

If you receive an unsolicited phone call asking for personal information from a company you recognize (such as from your bank or doctor’s office), ask for identifying information that only a person associated with the organization would know. If this is not possible, ask the person for their name and office or division and tell them you will call them right back. Call the company using the information from their website or on your contract or bill – do not use any phone number provided by the person who called you. Then ask for the representative who called you.

Never respond to an unsolicited phone call from a company you do not recognize that asks for sensitive personal or business information. Employees should notify their management whenever there is an attempt or request for sensitive business information.

Never give out your username or password. No company should ask you for this information for any reason. Also beware of people asking what kind of operating system you use, what brand firewalls you have, what internet browser you use, or what applications you have installed. This is all information that can make it easier for a hacker to break in to your system.

• Watch for harmful pop-ups

When connected to and using the Internet, do not respond to popup windows requesting that you click “OK” for anything. Use a popup blocker and only allow popups on websites you trust.

If a window pops up on your screen unexpectedly, DO NOT close the popup window, either by clicking “okay” or by selecting the X in the upper right corner of the popup window, especially if the pop up is informing you that your system has a virus and suggesting you download a program to fix it. Do not respond to popup windows informing you that you have to download a new codec, driver, or special program for the web page you are visiting. Some of these popup windows are actually trying to trick you into clicking on “OK” which will allow it to download and install spyware or other malware onto your computer. Be aware that some of these popup windows are programmed to interpret any mouse click anywhere on the window as an “OK” and act accordingly.

If you encounter this kind of pop-up window, disconnect from the network and force the browser to close (in Windows, hit “ctrl + alt + del” and delete the browser from running tasks. In OSX, right-click the application in the bar and select “force close”). You should save any files you have open and reboot the computer, then run your anti-virus software.

• Use strong passwords

Good passwords consist of a random sequence of letters (upper case and lower case), numbers, and special characters, and are at least 12 characters long17. For systems or applications that have important information, use multiple forms of identification (called “multi-factor” or “dual factor” authentication). For example, when a user logs in with a password, they may be sent a text message with a code they have to enter as well. Biometrics (e.g. fingerprint scanners) and other devices may be used, but can be expensive and difficult to install or maintain.

Many devices come with default administration passwords – these should be changed immediately when installing and regularly thereafter. Default passwords are easily found or known by hackers and can be used to access the device. The manual or those who install the system should be able to show you how to change them.

Passwords that do not change for long periods of time allow hackers time to crack them and may be shared and become common knowledge to an individual user’s coworkers. Therefore, passwords should be changed at least every 3 months18. Consider configuring systems and devices to require users to change their passwords every 3 months if possible.

Passwords to devices and applications that deal with business information should not be re-used. If a hacker gains access to one account, they will have access to all others that share that password. It may be difficult to remember a number of different passwords so a password management system may be an option. However, these systems place all passwords into one place which may be lost or compromised. Carefully compare password management solutions before purchasing.

You may want to consider using a password management application to store your passwords for you. Ensure the application encrypts all passwords stored on it. Use a strong password on the application and change the password regularly.

Conduct online business more securely

Online business/commerce/banking should only be done using a secure browser connection. This will normally be indicated by a small lock visible in the lower right corner or upper left of your web browser window.

Erase your web browser cache, temporary internet files, cookies, and history regularly. Make sure to erase this data after using any public computer and after any online commerce or banking session. This prevents important information from being stolen if your system is compromised. This will also help your system run faster. Typically, this is done in the web browser’s “privacy” or “security” menu. Review your web browser’s help manual for guidance.

If you do online business banking, you may want to consider having a dedicated computer which is used ONLY for online banking. Do not use it for Internet searches, personal banking, or email. Use it only for online banking for the business and disconnect it when not in use.

Информационна сигурност за малкия и среден бизнес

Small Business Information Security:

The Fundamentals

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.7621r1

November 2016

3 Safeguarding Your Information

This publication uses the Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework”) to organize the processes and tools that you should consider to protect your information [CSF14]. Appendix C contains more information about the Cybersecurity Framework. This is not a one-time process, but a continual, on-going set of activities. Although the Cybersecurity Framework was originally developed specifically for critical infrastructure organizations, it has proven useful to a variety of audiences as it provides a simple, common language for helping organizations to identify, assess, and manage cybersecurity risks.

This section provides activities you can implement in your business. In addition, Section 4 of this publication lists some common practices you and your employees can implement to help keep your business safe. The specific mitigation activities in this section are grouped into the five broad categories of the Cybersecurity Framework, as pictured in Figure 3. Some of the activities in this publication are suggestions for consideration. This means that those activities are recommended when a higher level of assurance (confidentiality, integrity, or availability) is needed to protect the information and meet business needs than is provided by the more basic practices.

                  IDENTIFY       

                   ⇙          ⇘
RECOVER              PROTECT
                 ⇓                 ⇓
RESPOND       ⇔          DETECT

Figure 3: The Cybersecurity Framework Categories

3.1 Identify

As described in the Cybersecurity Framework, the activities in the Identify Function help increase an organization’s understanding of their resources and risks.

• Identify and control who has access to your business information

Determine who has or should have access to your business’s information and technology. Include whether or not a key, administrative privilege, or password is required. To help collect this information, review your list of accounts and what privileges those accounts have.

Be aware of anyone who has access to your business. Do not allow unknown or unauthorized persons to have physical access to any of your business computers. This includes cleaning crews and maintenance personnel. Do not allow computer or network repair personnel to work on systems or devices unsupervised. No unrecognized person should be able to enter your office space without being questioned by an employee. If a criminal gains physical access to an unlocked machine, they can relatively easily steal any private or sensitive information on that machine.Physically lock up your laptops and other mobile devices when they are not in use. You should also utilize the session lock feature included with many operating systems, which locks the screen if the computer is not used for a specified period of time (e.g. 2 minutes). Use a privacy screen or position each computer’s display so that people walking by cannot see the information on the screen.

• Conduct Background Checks

Do a full, nationwide, criminal background check, sexual offender check, and if possible a credit check on all prospective employees (especially if they will be handing your business funds). You can request one directly from the FBI or an FBI-approved Channeler [FBI].

In addition, consider doing a background check on yourself. Many people become aware that they are victims of identity theft only after they do a background check on themselves and find reported arrest records and unusual previous addresses where they never lived. This can be an indication that your identity has been stolen.

If prospective employees are applying for a job with educational requirements, call the schools they attended and verify their actual degree(s), date(s) of graduation, and GPA(s). If they provided references, call those references to verify the dates they worked for a company and other specifics to ensure the employee is being honest.

• Require individual user accounts for each employee.

Set up a separate account for each user (including any contractors needing access) and require that strong, unique passwords be used for each account. Without individual accounts for each user, you may find it difficult to investigate data loss or unauthorized data manipulation. Ensure that all employees use computer accounts without administrative privileges to perform typical work functions. This will hinder any attempt—intentional or not—to install unauthorized software. Consider using a guest account with minimal privileges (e.g. internet access only) if needed for your business.

• Create policies and procedures for information security

Policies and procedures are used to identify acceptable practices and expectations for business operations, can be used to train new employees on your information security expectations, and can aid an investigation in case of an incident. These policies and procedures should be readily accessible to employees – such as in an employee handbook or manual.

The scope and breadth of policies is largely determined by the type of business and the degree of control and accountability desired by management. Have a legal professional familiar with cyber law review the policies to ensure they are compliant with local laws and regulations.

Policies and procedures for information security and cybersecurity should clearly describe your expectations for protecting your information and systems. These policies should identify the information and other resources that are important and should clearly describe how management expects those resources to be used and protected by all employees. See Appendix E for sample policy and procedure statements. Other examples are readily available online or a legal, insurance, or cybersecurity professional may have example policies.

All employees should sign a statement agreeing that they have read the policies and relevant procedures, that they will follow the policies and procedures. If there are penalties associated with the policies and procedures, employees should be aware of them. The signed agreement should be kept in the employee’s HR file.

Policies and procedures should be reviewed and updated at least annually and as there are changes in the organization or technology. Whenever the policies are changed, employees should be made aware of the changes and sign the new policy acknowledging their understanding. This can be done in conjunction with annual training activities (see Section 3.2).

3.2 Protect

The Protect Function supports the ability to limit or contain the impact of a potential information or cybersecurity event.6

• Limit employee access to data and information

Where possible, do not allow any employee to have access to all of the business’s information or systems (financial, personnel, inventory, manufacturing, etc)7. Allow employees to access only those systems and only the specific information that they need to do their jobs. Likewise, do not allow a single individual to both initiate and approve a transaction (financial or otherwise). This includes executives and senior managers.

Insiders – employees or others who work for a business – are a main source of security incidents. Because they are already known, trusted, and have been given access to important business information and systems, they can easily harm the business (deliberately or unintentionally). Unfortunately, these types of events can be difficult to detect, so protecting against them is very important.

When an employee leaves the business, ensure they no longer have access to the business’s information or systems. This may involve collecting their business ID, deleting their username and account from all systems, changing any group passwords or combination locks they may have known, and collecting any keys they were given.

• Install Surge Protectors and Uninterruptible Power Supplies (UPS)

Surge protectors prevent spikes and dips in power from damaging your electronic systems. Uninterruptible Power Supplies (UPS) provide a limited amount of battery power to allow you to work through short power outages and provide enough time to save your data when the electricity goes off. UPS’s often provide surge protection as well. The size and type of UPS should be sufficient to meet the needs of your particular business.

Ensure each of your computers and critical network devices are plugged into a UPS. Plug less sensitive electronics into surge protectors. Test and replace UPSs and surge protectors as recommended by the manufacturer.

• Patch your operating systems and applications

Any software application including operating systems, firmware, or plugin installed on a system could provide the means for an attack. Only install those applications that you need to run your business and patch/update them regularly. Many software vendors provide patches and updates to their supported products in order to correct security concerns and to improve functionality. Ensure that you know how to update and patch all software on each device you own or use.

When you purchase new computers, check for updates immediately. Do the same when installing new software. You should only install a current and vendor-supported version of software you choose to use. Vendors are not required to provide security updates for unsupported products. For example, Microsoft ended support for Windows XP on April 8, 2014 and no new patches will be provided for that operating system, even though it has known vulnerabilities [Msoft WLFS].

It may be useful to assign a day each month to check for patches. There are products which can scan your system and notify you when there is an update for an application you have installed. If you use one of these products, make sure it checks for updates for every application you use. You can check for updates directly with the original manufacturers of the applications you have installed.

• Install and activate software and hardware firewalls on all your business networks

Firewalls can be used to block unwanted traffic such as known malicious communications or browsing to inappropriate websites, depending on the settings. Install and operate a hardware firewall between your internal network and the Internet. This may be a function of a wireless access point/router, or it may be a function of a router provided by the Internet Service Provider (ISP) of the small business. There are many hardware vendors that provide firewall wireless access points/routers, firewall routers, and separate firewall devices. Ensure there is antivirus software installed on the firewall.

For these devices, change the administrative password upon installation and regularly thereafter. Consider changing the administrator’s log-in as well. The default values are typically known or easily guessed, and, if not changed, may allow hackers to control your device and thus, to monitor or record your communications and data via the Internet.

In addition, install, use, and regularly update a software firewall on each computer system used in your small business (including smart phones and other networked devices if possible). If given the option, ensure logging is enabled which will aid in the investigation of an event by providing evidence. Many operating systems include a firewall, but you should ensure that the firewall is operating and logging activity.

You should only use a current (updated), authentic, and vendor-supported version of the hardware and software firewall.

It is necessary to have firewalls on each of your computers and networks even if you use a cloud service provider or a virtual private network (VPN). If employees are allowed to do any kind of work at home, ensure that their home network and systems have hardware and software firewalls installed and operational, and that they are regularly updated.

In addition to a basic hardware firewall, you may want to consider installing an Intrusion Detection / Prevention System (IDPS). These devices analyze network traffic at a more detailed level and can provide a greater level of protection.

• Secure your wireless access point and networks

If you use wireless networking, set up your router as follows (view the owner’s manual for directions on how to make these changes):

- Change the administrative password that was on the device when you received it.

- Set the wireless access point so that it does not broadcast its Service Set Identifier (SSID).

- Set your router to use WiFi Protected Access 2 (WPA-2), with the Advanced Encryption Standard (AES) for encryption. Do not use WEP (Wired-Equivalent Privacy) as it is not considered secure!

If your business provides wireless internet access to customers, ensure that it is separated from your business network.

Avoid connecting to unknown or unsecured / guest wireless access points, even for performing non-business activities. Access only those wireless access points that you own or trust (i.e. are assured of their security).

If you or your employees must connect to unknown networks or conduct work from home, you may want to consider implementing an encrypted virtual private network (VPN) capability, which will allow for a more secure connection.

• Set up web and email filters

Email filters can help remove emails known to have malware attached and prevent your inbox from being cluttered by unsolicited and undesired (i.e. “spam”) email. Email providers may offer this capability. If your business hosts your own email servers, use filtering if possible.

Similarly, many web browsers allow web filtering – notifying the user if a website may contain malware and potentially preventing them from accessing that website. Enable this option if available.

You may want to consider blocking employees from going to websites that are frequently associated with cybersecurity threats. This may include sites with pornographic content or social media. This can help prevent employees from accidentally downloading malware, wasting business resources, and conducting illicit activity using business resources. Many firewalls and routers can be set up to block certain addresses (blacklist), or allow only certain addresses (whitelist). Blacklists can be downloaded online or obtained as part of a service.

• Use encryption for sensitive business information

Encryption is a process of making your electronically stored information unreadable to anyone not having the correct password or key9. Use full-disk encryption—which encrypts all information on the storage media – on all of your computers, tablets, and smart phones. Many systems come with full-disk encryption capabilities. Not all mobile devices provide this capability.

Do not forget your encryption password or key! If you lose or forget your key, you will lose your information. Save a copy of your encryption password or key in a secure location separate from where your backups are stored.

If, in your business, you send sensitive documents or emails, you may want to consider encrypting those documents and/or emails. Many document, and email applications provide for this capability. Typically, the receiver will need to have the same application to de-crypt the message or document as you used to encrypt it. If you need to send them a password or key, give it to them via phone or other method. Never send it in the same email as the encrypted document.

• Dispose of old computers and media safely

Small businesses may sell, throw away, or donate old computers and media. When disposing of old business computers, first electronically wipe the hard drive(s). Many operating systems provide this capability and there are several downloadable applications that can also do this. If you can’t wipe the hard drive for any reason, consider degaussing the hard drive.

After wiping the hard drive(s), remove them and have them physically destroyed. You can sell, donate, or recycle the machine after the hard drive has been removed. Many companies will crush or shred them for you. Consider choosing companies that will allow you to watch the process.

Install a remote-wiping application on your computer, tablet, cell phone, and other mobile device. If the device is lost or stolen, you can use these applications wipe all information from the device.

When disposing of old media (CDs, floppy disks, USB drives, etc), first delete any sensitive business or personal data. Then destroy the media either by shredding it or taking it to a company that will shred it for you. When disposing of paper containing sensitive information, destroy it by using a crosscut shredder.

You may want to consider incinerating paper and other media that contains very sensitive information.

• Train your employees

Train employees immediately when hired and at least annually thereafter about your information security policies and what they will be expected to do to protect your business’s information and technology. Ensure they sign a paper stating that they will follow your policies, and that they understand the penalties for not following your policies.

Train employees on the following:

• What they are allowed to use business computers and mobile devices for, such as if they are allowed to use them to check their personal email.

• How they are expected to treat customer or business information, for example whether or not they can take that information home with them.

• What to do in case of an emergency or security incident (see Section 3.4).

• Basic practices as contained in Section 4 of this document.

You may be able to obtain training from various organizations, such as your local Small Business Development Center (SBDC), SCORE Chapter, community college, technical college, or commercial training vendors. In addition, the Small Business Administration (SBA) and Federal Trade Commission (FTC) produce videos and topic-specific tips and information which can be used for training [SBA LC] [FTC].

Continually reinforce the training in everyday conversations or meetings. Monthly or quarterly training, meetings, or newsletters on a specific subject can help reinforce the importance of security and develop a culture of security in your employees and in your business.

3.3 Detect

The activities under the Detect Function enable timely discovery of information security or cybersecurity events.

• Install and update anti-virus, -spyware, and other –malware programs

Malware (short for Malicious Software or Malicious Code) is computer code written to steal or harm10. It includes viruses, spyware, and ransomware. Sometimes malware only uses up computing resources (e.g. memory), but other times it can record your actions or send your personal and sensitive information to cyber criminals.

Install, use, and regularly update anti-virus and anti-spyware software on every device used in your business (including computers, smart phones, and tablets).

It may be useful to set the anti-virus and anti-spyware software to automatically check for updates at least daily (or in “real-time”, if available), and then set it to run a complete scan soon afterwards. Many businesses run their anti-virus programs at some scheduled time each night (e.g. 12:00 midnight) and schedule a virus scan to run about half an hour later (e.g. 12:30 am); then they run their anti-spyware software (e.g. 2:30 am) and run a full system scan (e.g. 3:00 am). This assumes that you have an always-on, high-speed connection to the Internet. Regardless of the actual scheduled times for the above updates and scans, schedule them so that only one activity is taking place at any given time.

If your employees do any work from home computers or personal devices, obtain copies of your business anti-malware software for those systems or require your employees to use anti-virus and anti-spyware software.

You may want to consider using two different anti-virus solutions from different vendors. This can improve the chances a virus will be detected. Often routers, firewalls, and Intrusion Detection / Prevention Systems will have some anti-virus capabilities, but these should not be exclusively relied upon to protect the network.

• Maintain and monitor logs

Protection / detection hardware or software (e.g. firewalls, anti-virus) often has the capability of keeping a log of activity. Ensure this functionality is enabled (check the operating manual for instructions on how to do this). Logs can be used to identify suspicious activity and may be valuable in case of an investigation. Logs should be backed up and saved for at least a year; some types of information may need to be stored for a minimum of six years11.

You may want to consider having a cybersecurity professional review the logs for any unusual or unwanted trends, such as a large use of social media websites or an unusual number of viruses consistently found on a particular computer. These trends may indicate a more serious problem or signal the need for stronger protections in a particular area.

3.4 Respond

The Respond Function supports the ability to contain or reduce the impact of an event.

• Develop a plan for disasters and information security incidents

Develop a plan for what immediate actions you will take in case of a fire, medical emergency, burglary, or natural disaster.

The plan should include the following:

• Roles and Responsibilities. This includes who makes the decision to initiate recovery procedures and who will be the contact with appropriate law enforcement personnel

• What to do with your information and information systems in case of an incident. This includes shutting down or locking computers, moving to a backup site, physically removing important documents, etc.

• Who to call in case of an incident. This should include how and when to contact senior executives, emergency personnel, cybersecurity professionals, legal professionals, service providers, or insurance providers. Be sure to include relevant contact information in the plan.

Many states have “notification laws,” requiring you to notify customers if there is a possibility any of their information was stolen, disclosed, or otherwise lost. Make sure you know the laws for your area and include relevant information in your plans.

Include when to notify appropriate authorities. If there is a possibility that any personal information, intellectual property, or other sensitive information was stolen, you should contact your local police department to file a report. In addition, you may want to contact your local FBI office [DoJ15].

• Types of activities that constitute an information security incident. This should include activities such as your business website being down for more than a certain length of time or evidence of information being stolen.

You may want to consider developing procedures for each job role that describe exactly what the employee in that role will be expected to do if there is an incident or emergency. Appendix E discusses what a procedure document should contain.

3.5 Recover

The Recover Function helps an organization resume normal operations after an event.

• Make full backups of important business data/information

Conduct a full, encrypted backup of the data on each computer and mobile device used in your business at least once a month, shortly after a complete virus scan. Store these backups away from your office location in a protected place so that if something happens to your office (fire, flood, tornado, theft, etc), your data is safe. Save a copy of your encryption password or key in a secure location separate from where your backups are stored.

Backups will let you restore your data in case a computer breaks, an employee makes a mistake, or a malicious program infects your system. Without data backups, you may have to recreate your business information manually (e.g. from paper records). Data that you should backup includes (but is not limited to) word processing documents, electronic spreadsheets, databases, financial files, human resources files, accounts receivable/payable files, system logs, and other information used in or generated by your business. Back up only your data, not the software applications themselves.

You can easily store backups on removable media, such as an external USB hard drive, or online using a Cloud Service Provider. If you choose to store your data online, do your due diligence when selecting a Cloud Service Provider. It is recommended that you encrypt all data prior to storing it in the Cloud.

If you use a hard drive, ensure it is large enough to hold all of your monthly backups for a year. It is helpful to create a separate folder for each of your computers. When you connect the external disk to your computer, to make your backups, copy your data into the appropriate designated folder.

Test your backups immediately after generating them to ensure that the backup was successful and that you can restore the data if necessary.

• Make incremental backups of important business data/information

Conduct an automatic incremental or differential backup of each of your business computers and mobile devices at least once a week. This type of backup only records any changes made since the last backup. In some cases, it may be prudent to conduct backups every day or every hour depending on how much information is changed or generated in that time and the potential impact of losing that information. Many security software suites offer automated backup functions that will do this on a regular schedule for you.

These backups should be stored on:

• removable media (e.g. external hard drive);

• a separate server that is isolated from the network, or

• online storage (e.g. a cloud service provider).

In general, the storage device should have enough capacity to hold data for 52 weekly backups15, so its size should be about 52 times the amount of data that you have. Remember this should be done for each of your computers and mobile devices. You may choose to store your backups in multiple locations (e.g. one in the office, one in a safety deposit box across town, and one in the cloud). This provides additional security in case one of the backups becomes destroyed.

Periodically test your backed up data to ensure that you can read it reliably. If you don’t test your backups, you will have no grounds for confidence that you can use them in the event of a disaster or security incident.

You may want to consider encrypting your backups. Many software applications will allow you to encrypt your backups. This provides an added layer of security and is important if your backups contain any sensitive personal or business information. Make sure to keep a copy of your encryption password or key in a secure location separate from where you keep your backups.

• Consider cyber insurance

Cyber insurance is similar to other types of insurance (e.g. flood, fire) that you may have for your business. Cyber insurance may help you respond to and recover from a security incident. In some cases, cyber insurance companies may also provide cybersecurity expertise and help you identify where you are vulnerable, what kinds of actions you need to take to protect your systems, and help you investigate an incident and report it to appropriate authorities.

As you might with any type of insurance, perform due-diligence when considering cyber insurance. Determine your risks (see Section 2) before purchasing a policy. Research the company offering protection, the services they provide, the type of events they cover, and ensure that they have a good reputation and will be able to meet their contractual agreement.

• Make improvements to processes / procedures / technologies

Regularly assess your processes, procedures, and technology solutions according to your risks (see Section 2). Make corrections and improvements as necessary.

You may want to consider conducting training or table-top exercises which simulate or run-through a major event scenario in order to identify potential weaknesses in your processes, procedures, technology, or personnel readiness. Make corrections as needed.

Следва публикуване на част 4: Working Safely and Securely

Информационна сигурност за малкия и среден бизнес

Small Business Information Security:

The Fundamentals

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.7621r1

November 2016

2 Understanding and Managing Your Risks

Risk is a function of threats, vulnerabilities, the likelihood of an event, and the potential impact such an event would have to the business. Most of us make risk-based decisions every day. While driving to work, we assess threats and vulnerabilities such as weather and traffic conditions, the skill of other drivers on the road, and the safety features and reliability of the vehicle we drive.

By understanding your risks, you can know where to focus your efforts. While you can never completely eliminate your risks, the goal of your information security program should be to provide reasonable assurance that you have made informed decisions related to the security of your information.

It is impossible to completely understand all of your risks perfectly. There will be many times when you will have to make a reasonable effort when trying to understand threats, vulnerabilities, potential impact and likelihood. For this reason, it is important to utilize all resources available to you, including information sharing organizations (e.g., [US-CERT], [ISACA], etc.), relevant stakeholders, and knowledge experts.

2.1 Elements of Risk

In information security, a threat is anything that might adversely affect the information your business needs to run. These threats might come in the form of personnel or natural events; they can be accidents, or intentional. Some of the most common information security threats include:

• Environmental (e.g. fire, water, tornado, earthquake);

• Business Resources (e.g. equipment failure, supply chain disruption, employees), and

• Hostile Actors (e.g. hackers, hacktivists, criminals, nation-state actors).

When looking at these types of threats, many people do not understand how they relate to information security. It is helpful to consider what would happen in the event of, for example, a flood. Computers, servers, and paper documents can easily be destroyed by even a small amount of water. If it is a large flood, you may not be allowed in the area to protect or collect the information your business needs to run.

A vulnerability is a weakness that could be used to harm the business. Any time or situation where information is not being adequately protected represents a vulnerability. Most information security breaches can be traced back to only a few types of common vulnerabilities. Section 3 and Section 4 of this publication are geared towards minimizing your vulnerabilities and reducing the impact of a security incident should one happen.

Some threats affect businesses and industries differently. For example, an online retailer may be more concerned about website defacement than a business with little or no web presence. Likelihood is the chance that a threat will affect your business and helps determine what types of protections to put in place.

Similarly, most businesses have different types of information. If a marketing pamphlet is leaked online, it will probably not harm the business nearly as much as if, for example, sensitive customer information or proprietary business data was leaked. The impact an event could have depends on the information affected, the business, and the industry.

Figure 2 shows the relationship between threats, vulnerabilities, impact, and likelihood.

Threats                                                   Vulnerabilities

Environmental  

Business Resources                  ⇆              Weakness in security protection

Hackers / Criminals

                                 ↓

Likelihood – chance of threat affecting to usiness

Occurrence based on history / industry statistics

For adversarial threats: capability and intent

                                ↓

Impact – potential harm to business

The theft or disclosure of sensitive business information

Business information or systems being modified

The loss of information or system availability

                               ↓

                  RISK

Figure 2: How Risk is determined from Threats, Vulnerabilities, Likelihood, and Impact

2.2 Managing Your Risks

The activity of identifying what information requires what level of protection, and then implementing and monitoring that protection, is called “risk management”3. This section contains simple steps for creating a risk-based information security program to help you manage risk.

This process will likely require the input and collaboration of a broad array of personnel within the business to be successful. You should bring together those personnel in your business that can help make informed decisions, for example project managers, executives, legal, and IT personnel. In addition, you may want to consider including customers, particularly you do a significant amount of business with, and use them as an additional resource.

You should review and update your risk management plan at least annually and whenever you may be considering any changes to the business (e.g. beginning a new project, a change in procedure, or purchasing a new IT system). Also, if you hear that something happened to one of your business partners, suppliers (including makers of any computer equipment or software you may use), customers, or employees, use this exercise to make sure you are still adequately protected.

• Identify what information your business stores and uses

Because it is unreasonable to protect every piece of information your business uses against every possible threat, it is important to identify what information is most valuable to your business or to others. This first step is often the most challenging and most important part of risk management.

Start by listing all of the types of information your business stores or uses. Define “information type” in any useful way that makes sense to your business. You may want to have your employees make a list of all the information they use in their regular activities. List everything you can think of, but you do not need to be too specific. For example, you may keep customer names and email addresses, receipts for raw material, your banking information, or other proprietary information.

• Determine the value of your information

Go through each information type you identified and ask these key questions:

• What would happen to my business if this information was made public?

• What would happen to my business if this information was incorrect?

• What would happen to my business if I/my customers couldn’t access this information?

These questions relate to confidentiality, integrity, and availability, as discussed in Section 1.1 and help determine the potential impact of an event. Table 1 below shows a template worksheet or spreadsheet you can adapt and use to identify the value of your information. Table 1 also includes some additional, helpful questions to consider what would happen to your business reputation, your productivity, and your legal liabilities.

You may not be able to assign a dollar value amount for many types of information, so instead, consider using use a scale of 0 to 3 or “none,” “low,” “moderate,” and “high.” Note that one person alone may not know how a piece of information is used throughout the business – a team effort will likely be required.

Using the answers to these questions, rank how critical each type of information is to the continued operations of your business. When calculating an overall ranking or risk score for an information type, either add the values to give a total value or use the highest value or score given. For example, if the information type has one “high” rating, the entire information type should be rated as “high”. Information that has a higher score needs to be more protected than information with a low score. Higher-rated information types may warrant use of the techniques identified in Section 3 of this publication, depending on the relevant threats and vulnerabilities.

Table 1 on the next page is an example worksheet showing how this information can be gathered. The worksheet includes a worked example shown in italics. The worksheet is also available in Appendix D.

Table 1: Identify and Prioritize Information Types

	Example: Customer Contact Information	Info type 1	Info type 2	….
Cost of revelation (Confidentiality	Medium
Cost to verify information (Integrity)	High
Cost of lost access (Availability)	….
Fines, penalties, customer notification
Cost of lost work
Other legal costs
Reputation / public Relations costs
Cost to identify and repair problem
Overall Score:

• Develop an inventory

Identify what technology comes in contact with the information you listed in Table 1. Complete Table 2 to include the technology you use to store, access, process, and transmit that information. This can include hardware (e.g. computers) and software applications (e.g. browser email). Make sure to include the make, model, serial numbers, and other identifying information; this information is necessary for identifying the product in case of maintenance, repair, or insurance purposes. Every information type should have at least one hardware / software technology listed. Where applicable, include technologies outside of your business (e.g., “the cloud”) and any protection technologies you have in place such as firewalls.

You should also track where each product is located. For software, identify what machine(s) the software has been loaded on to. You may also want to include the owner of the technology, if applicable.

Evaluate the impact of the information, as decided in Table 1—this will help you determine the most appropriate security controls needed to protect the information. You may choose to add up impact scores for all types of information the product comes in contact with, or only use the highest score. Update this list at least annually. This table is also included in Appendix D.

Table 2: Inventory

	Description (e.g. nickname, make, model, serial number, service ID, other identifying information)	Location	Type of information the product comes in contact with.	Overall Potential Impact
1	Dr. J. Smith’s cell phone; Type – Sonic; Version – 9.0 ID – “Police Box	Mobile T&S Network	Email; Calendar; Customer Contact Information; Photos; Social Media; Locations; Medical Dictionary Application	High
2	…
…

• Understand your threats and vulnerabilities

All businesses face information security and cybersecurity threats and vulnerabilities. While certain categories of threats and vulnerabilities may be consistent across businesses, some may be specific to your industry, location, and business. You should regularly review what threats and vulnerabilities your business may face and estimate the likelihood that you will be affected by that threat or vulnerability. This can help you identify specific strategies to protect against that threat or vulnerability.

Table 3 provides an example of how to determine the likelihood of an incident based on the information you collected in Tables 1 and 2. The left-hand column of the table lists some example threat events or scenarios—you should create a list that is specific to the threats and vulnerabilities your business faces. Evaluate the likelihood of the threat to your business in the bottom row. Use the highest value or score given. For example, if the information type has one “high” rating, the entire information type should be rated as “high”. See Appendix D for more information on this worksheet.

Table 3: Identify Threats, Vulnerabilities, and the Likelihood of an Incident

	Example: Customer Contact Information on Dr. J. Smith’s cell phone	Info type / Technology	Info type / Technology	Info type / Technology	…
Confidentiality
Theft by criminal	Med (encrypted; password-protected)
Accidental disclosure	Med (has previously lost phone twice)
Integrity
Accidental alteration by user / employee	Med
Intentional alteration by external criminal / hacker	Low
Availability
Accidental Destruction (fire, water, user error)	Med (Regular backups)
Intentional Destruction	Low
Overall Likelihood:	Med

Your business likely already has some processes and procedures in place which help to protect from these threats. It is useful to record these protections as you go through this exercise (e.g. the destruction of information may be mitigated or protected by regular backups). Information about threats and common vulnerabilities can be found through your local InfraGard chapter [InfraGard], [US-CERT], your local SCORE[NVD]). 4 chapter, hardware or software vendor announcements, your local police department and many other places (e.g., the National Vulnerability Database - NVD)

Vulnerabilities found in software applications are the most common avenue of attack for hackers. Because of the broad range of vulnerabilities possibly found within a network or system, a vulnerability scan or analysis should be minimally conducted once a year by a professional and again whenever you make major changes to your computers or network. The prices for this service can vary widely—from free to thousands of dollars—depending on the specific actions performed and the size or nature of the business being assessed.

You may want to consider conducting a penetration test against your business. This test simulates an attack in order to identify weaknesses. The test should include physical, social engineering, and cyber-based attacks. Other tests may also be useful—work with a cybersecurity professional to identify what is appropriate for your situation.

The information gathered in Tables1 - 3 provide the information necessary to identify the areas where you need to focus your information security efforts. Table 4 below shows an example of how the value of your information types or “impact” (Tables 1 and 2) and the potential likelihood of an attack (Table 3) can be combined to help you prioritize your information security efforts. Table 4: Prioritize Resolution Action HIGH  Impact Priority 3 – Schedule a resolution. Focus on Respond and Recover solutions Priority 1 – Implement immediate resolution. Focus on Detect and Protect solutions LOW Impact No action needed Priority 2 – Schedule a resolution. Focus on Detect and Protect solutions LOW Likelihood HIGH Likelihood

Using the previous example, Dr. J. Smith’s Cell Phone, which contains customer contact information, may be a Priority 3 device due to the High impact and Low Likelihood.

As you review the practices in Section 3 and 4 of this document, look at what technologies and services you may need to purchase. When you develop a budget, apply the information from this exercise to help you select, obtain and implement systems and services that are commensurate with your risk.

2.3 When you need help

No one is an expert in every business and technical area. You may choose to outsource some of your technology and information security needs to companies that provide these services. Here are a few tips which can help you find a provider that’s right for your business:

• Ask for recommendations. You can ask your business partners, local Chamber of Commerce, Better Business Bureau, colleges or universities, or SCORE Office for referrals.

• Request quotes. Make sure to have a clear list of actions or outcomes that you want to achieve. This may be done with the potential provider, depending on whether or not you want their opinion of what actions or outcomes your business should have.

• Check past performance. Often providers will have reviews posted online. Check for complaints with the Better Business Bureau or Federal Trade Commission. If possible, request a list of past customers and contact each to see if the customer was satisfied with the company’s performance and would hire them again for future work. Find out how long the company has been in business and whether or not there have been recent or several changes in management – this can be an indicator of future difficulties.

• Find out who will be doing your work. Ask for the professional qualifications of the personnel who will be handling the project – including those working directly with you or on your systems as well as any personnel that will be overseeing the project. Look for recognized professional certifications and relevant experience.

Recognize that anyone you hire to perform a service for you may not know your business or industry. Any large decisions – including any changes in processes or technologies used - should be made in collaboration with business executives, project leaders, and other relevant personnel.

In some cases, larger organizations will help their small business suppliers analyze their risks and develop an information security program. If you have a business partners or large customers that depend on your organization, consider asking for their input or participation in your risk management process.

Следва публикуване на част 3: Safeguarding Your Information