By Kurtis Waymouth, Branch Manager of our Tavistock office.

We previously discussed the new mandatory reporting requirements for data breach.

I recently had the privilege of sitting down and chatting with J-Paul Haynes, President and COO, of eSentire, about the current cyber risks against small business and the steps that should be taken to prevent these risks. 

For a bit of background; eSentire is a leader and pioneer in the cyber security industry, providing a continuous threat monitoring service to their clients. They monitor their client’s networks continuously and can detect almost instantly if a potential threat has made it through a client’s local preventative measure; firewall, anti-virus, etc. and can resolve these breaches before they become issues.

What Are The Threats?

Adware, DDOS, Ransomware, and Crypto Mining are some of the terms you may hear around the internet and on the news.  In the end, all of these are forms of malicious software that find their way onto your computer and exploit  your system for their monetary gain.  They are trying to gain personal information to steal your identity, hold your computer ransom until they receive a desired payout, force your computer to web pages you did not intend to go to, where they may have ads that when viewed provide them with payout and the list goes on and on.  Malwaretruth.com has a nice article outlining the main types of malware and defines what they are and how they act.

How Do Cyber Criminals Get In?

Getting into your system is not as easy as movies make it out to be.  Direct attacks or forceful entry through your firewalls and other preventative systems are very rarely successful and are not the tactic used to gain entry into your computer systems.  It goes far beyond furiously typing code into a computer and gaining access to major computer systems.

The vast majority of the time cyber criminals rely on their targets doing the work for them.  This is achieved by encouraging people to click on links they should not, open attachments in emails they should not have opened, etc, which is called Phishing.  Inadvertently, opening that email, or going to that web page has triggered an action which has allowed a small hardly noticeable bit of computer software into your system and may result in one of the situations listed above.  

Other times you may receive an email that appears to be from your bank or other service that you use, asking for updates to passwords or other personal information.  Under the impersonation of the real institution the information is freely given to them for their own use.  Many of us will use the same password across a multitude of the online services we use, so once a cyber criminal has access to one of your accounts, it is likely they will have access to the majority of your online information.

Are Small and Medium Sized Business Targets for Cyber Crime?

YES!  All business is at risk of various degrees of cyber attack.  In the online world there are no borders, no difference between small rural businesses and urban corporations.  Much like brick and mortar criminals, the main goal is to take advantage of your weakness to exploit you for monetary gain, and that is the extent of it. 

There are business sectors that have a higher risk of attack then others.  Financial and health services generally have the most to loose.  On the black market a health record will trade for 20 to 50 times what credit information will.  In the goal of identity theft, a health record has full names, address, mothers maiden name, which all the data needed to impersonate and identity and it is information that is not easily changed.  Theft through credit cards is much more difficult.  Credit cards are easy to shut down and many companies have extensive resources to fight against fraudulent activities.

Companies, who hold clients Personally Identifiable Information (PII), or Protected Health Information (PHI), are the most at risk of cyber loss both in terms of threats and the direct loss in privacy breach protocol. 

In the event of a possible Privacy Breach, J. Paul advised that companies should budget a minimum of $100/PII or PHI that is kept on file, to cover the direct and indirect costs after a breach.  It is important to note the locations you do business in, as each has various requirements for notification and costs.  

What Are Minimum Cyber Security Measures?

Protecting yourself from cyber threats is much like the analogy of the men running from a bear.   You don’t have the fastest, just not the slowest.  For cyber protection there is no way to protect against 100% of potential threats, the goal should be to put up as many roadblocks as you can to deter a cyber criminal from bothering with you.  For every person who takes extra steps to protect themselves online there are countless who don’t, so just by putting up the roadblocks you could save yourself a lot of headache.

As a minimum, companies should take advantage of the built in security systems provided by their operating system.  Windows systems have a built in firewall and their Windows Defender anti virus software built in.  Further to this, J-Paul advised to make the upgrade to the newest Windows 10 operating system.  Windows has adopted enhanced security protocols with the latest edition, which far surpasses earlier versions of Windows.

All companies should have a disaster recovery plan in regards to their computer systems.  This plan should include the regular backup and testing of your computer systems.  A backup should be done on an external system that is left offline unless it is operational for the purpose of the back up.  For many small companies this would be to have an external hard drive to replicate you main computer system.   The drive would then remain unplugged unless it was time to back up.  It is important to backup as frequently as you need to in order to continue business in the event of a catastrophic breach.  Testing of the backup is also very important.  Better to learn if the hard drive is failing or the information was not properly transferred when there is not risk involved, rather then finding out when you need it most.

For small companies who run standard PC systems it is advised to use a multi-user setup.  There are two types of users for Windows based systems; administrator and user.  Administrators have permission to open, run and install programs to the system.  The user level does not give the ability to install new software on the computer.  It may create an inconvenience having to switch between users to install new programs, but having the companies computer operators on a limited use level, stops them from accidently installing new software which could hold malicious software. 

For your email providers it is recommended to use Gmail or office 365.  Both these providers have implemented extensive filters that scrape all email contents looking for harmful emails, so that they never make it to the end user.  Gmail also allows users to have a double factor authentication process.  This may seem like a hassle for you, but it also is a huge hassle for anyone trying to gain access to your email.  This two step process means that once the password is input for your Gmail account, a PIN is then sent to you phone and has to be entered before you can have access to your emails.

What Should Be Done Beyond the Minimum?

For those who would like to take things beyond the minimum, which hopefully is most, there are a few more steps that should be taken.  First is to upgrade your firewall, to a product that is provided and maintained by a professional.  This is something that would require fairly regular updates as cyber threats evolve.  According to Haynes, many internet service providers can offer firewall services to their clients.  You should make sure your firewall comes with an intrusion detection system.

The next investment to make is to upgrade to a Next Generation Anti-Virus provider (NGAV).  Traditional anti-virus providers are only looking for malware that has embedded itself in your file system, are only searching for programmed known threats and generally only runs threat detection on a daily basis, unless set otherwise.  NGAV providers go beyond this, with continual monitoring, searches for all malicious behavior, and the use of artificial intelligence systems that allows the system to learn as new threats arise and predict income threats.  J. Paul highly recommends Cylance as one of the current NGAV providers on the market.  Beyond Cylance, here is a listing of the current top NGAVproviders.

If you are in the market for new computer systems eSentire highly recommends using Apple products.  The majority of computer systems used by business is Windows based, and the government bodies have done the most test hacking on Windows based systems.  Hacking methods used by the government historically always make their way into the cyber criminal community, to be used against the general public.

Apple products are not impervious to attack, but due to the lesser number of Apple computers used in business there is less drive to attack towards them.  Apple also employs a “walled garden” or closed platform model, which means that Apple keeps full control over the content and software that is able to be installed on their systems.  If malicious software is found to have bypassed their review, it will immediately be shut down.  Keeping this level of control on their systems allows them to remain strong against threat.

On a smart phone, it is highly advised to take advantage of the biometric security features built into the phone.  Much to the same note as above, the need for a figure print or a scan of your face or eyes, is a huge deterrent making the device not worth the while for attack.  Do not jailbreak or root your phone as this bypasses a lot of the built in security features, especially on the Apple products.

As noted above passwords are a general weak point in security.  It is near impossible for humans to remember a separate password for all of the different online services they are subscribed to, however it is highly recommend you do so.  Further to having more varying passwords, it is important to ensure that you change these passwords on a regular basis.  To help with this there are password manager tools that can be utilized for this.  A password manager will store and encrypt all of the passwords for your various services.

The final step you can take to protect against threat is to employ the services of a company like eSentire.  If you have highly sensitive information stored and in your care and control a Managed Detection and Response provider will work with you to stop potential threats and breaches before they become issues.

Thank you to J. Paul Haynes and eSentire for taking the time to me with me and providing an enlightening conversation.