Strategy, Info System Security Russell Mickler Strategy, Info System Security Russell Mickler

The 10 Worst Small Business Security Habits

Small businesses are usually pretty bad at managing their information resources. Here's a list of the 10 worst security habits a small business might have concerning the management of its information system.

I recently gave a presentation on this topic to my business networking group, and I wanted to take a few minutes to expand on these issues. I think they're important for everyone - not just small businesses - but, as I consult for a living, these are the kind of problems that I find most prevalent in my line of work. 

I really have no sympathy for business owners or users that fail to attend to these details - ultimately, they are the victims of their own behaviors and inattention to managing the IT problem. After all, it's their job to manage these problems and experts like me can help if they're willing, but, you can't force somebody to do the right thing; they've got to want it for themselves and put in the work. They've got to make it a priority. Still, who I am concerned about are the victims of their inattention (their employees, their customers) whose personal private information is made more vulnerable because of their lack of leadership in these areas.

1. Poor Authentication. 

  • The organization doesn't place an emphasis on using complex passwords on websites, computers, tablets, phones, or other devices;
  • Users in the organization are allowed to generate their own non-complex password, where the user could use a password from their own personal experience, exposing the company;
  • Passwords are used on many services and devices, and aren't unique;
  • The organization doesn't enable features like 2-factor authentication that could help better secure their digital assets;
  • Simply, the organization or individual doesn't take authentication seriously even though most of their digital assets are on mobile devices or available in the Cloud and not protected behind their own firewall. It's an inexcusable lack of attention to a basic problem; they make their authentication mechanism as convenient as possible rather than as secure as possible, and that's why they get hacked. 

2. No Audits, Testing, Quarterly Maintenance.

  • The organization never audits its assets and controls; it wrongly believes that threats never change and that what it did yesterday protects them from tomorrow;
  • Confidence in our safeguards and controls is a process; it's not a set-it-once and walk away issue - we must constantly be looking at our vulnerability and implementing corrective action;
  • If we never audit, test, or maintain our systems, we assume nothing is wrong; it's precisely that assumption and laziness that can be exploited by hackers.

3. No Encryption.

  • Today, with encryption technology so pervasive and available on nearly every microcomputer, application, and (soon) phone, there's no excuse whatsoever not to encrypt everything.

4. Reliance on Role-Based User Accounts.

  • For their convenience, organizations will create accounts in their information system that reflect roles rather than people (example: accounting, invoices, payables, contracts, etc);
  • These accounts exist because the users feel it's easier to always have these functions login rather than people, and when people leave the organization, the matter created under the role remains;
  • One problem with this approach is that the account's credentials never change - as lending to the convenience aspect - thus exposing the company after an employee leaves the firm, but the most significant problem lies in the realm of audits; how can you audit anything in an information system when all it reports is "accounting did this", or, "accounting did that" - we don't know the who behind it, and anyone who knows that account's password is suspect?
  • Role-based account setups is a cheat: it harms the company because there's no system that allows us to prove who did what, when, and how, and it creates a lazy habit for managing user attrition; every user should be uniquely identified at all times.

5. Using Physical Mail.

  • Companies who rely on physical mail to be delivered to an unsecure mailbox invite trouble and fraud - from internal aggressors like employees, or, from external aggressors;
  • Just like consumers, small businesses can be the victim of identity theft, and organizations should do everything in their power to automate payment systems as to reduce all physical mail to what it truly is (junk).

6. No Testing or Verification of Backups.

  • The company presumes their backup processes are working, or, presumes that they have adequate coverage for their recovery objectives (alas, many companies don't even understand what kind of recovery time-frame or data they would need to perform a recovery in the event of a disaster);
  • Instead of making these assumptions, the astute manager would define what kinds of data and system would need to be operable under the auspices of a Disaster Recovery Plan (DRP); defining needs and verifying that systems are in place to meet those needs is just part of good management.

7. No Understanding of Legal Obligations.

  • I'm often shocked at what little understanding business owners have concerning classified forms of information, and their obligations in managing it;
  • There are state and federal laws governing these issues - and the obligation for reporting breach - yet often the small business owner is entirely oblivious;
  • Not only does that threaten the business in the context of negligence and liability, but it's a failure of a social obligation that the business has to safeguard data, which is why there have been laws created to protect it;
  • Ignoring the law or shrugging off their legal obligation because they don't understand something is useless ("ignorance of the law is not a legal defense"), and sentiments like "government intrusion" attempts to dismiss their responsibility; again, I go back to the real victims: the people who do business with them, and, their employees. 

8. No Filtering.

  • Filtration is a defensive tactic to prevent all things from being delivered or seen by users;
  • Basic filtering of email traffic can help reduce spam, phishing, and virus attacks, yet many small businesses are still using standard POP3 or IMAP mail clients without server-side filtering on mail delivery;
  • Meanwhile, web traffic can be easily filtered with free services like OpenDNS, workstation security software, or, commercial services offered by vendors like Sonicwall;
  • No filtering just lets everything in to trusted spaces - rather, proactively, we should select for what we want our organization to see. That's just good management.

9. Leave Laptop/Phone/Tablet Unattended.

  • Aside from not securing these devices with encryption or pass-phrases, users will leave these objects in their car, or, sitting on a table in a restaurant, or with a co-worker, or they leave it sitting at an airport;
  • This inattention stems from the problem of perceived value - some of the biggest, most scary data breaches come from unencrypted laptops being left at an airport, and there just happened to be 10,000 records of payroll data on it; what was the user thinking? Why put that data on an unencrypted, unsecure device anyway? What would happen if that device or USB stick was lost?
  • And the answer is that they weren't thinking of anything other than their convenience and not the real consequences of their actions. Employees should be trained about the value of information, and the costs associated with its potential loss or destruction.

10. No Policies, Procedures, or Work Instructions (No Plan). 

  • Finally, organizations that don't create Administrative Controls (like policies, procedures, or work instructions) governing these issues plan to fail at managing them; management never gave voice to their intention; management never trained its employees on their intention; management never clarified its intention;
  • The legal concept of Due Care obligates managers to understand and to respond to the risks under which their organization operates; if they never investigate those risks and develop, audit, and maintain controls, or communicate their expectations to staff, that's not management at all. It's negligence.

R

 

Read More
Info System Security, Social Media Russell Mickler Info System Security, Social Media Russell Mickler

Turn Off Creepy Facebook Nearby Friends

Okay ... Facebook will, by default, share your location with nearby friends unless you turn off the feature.

What's nearby friends? Glad you asked. It is where Facebook is using the geolocation info from your phone to report where you are and if any of your pals are nearby. 

Intrusive? Maybe! If you want to turn it off, here's what you do: 

1. Sign into your Facebook app on your phone. 

2. Go to More and select Nearby Friends.

image.jpg

3. Now, once there, go up to the gear on the right hand side: 

image.jpg

4. And then turn off Nearby Friends:

image.jpg

Aw you're such a party pooper.

Anyway, if you ever wanted to turn it back on, you could. Just reverse the steps and flip the switch. You'd be the life of the party all over again. 

Remember: it's not that Facebook's evil, they just think you want to be the most public person possible. You're able to control this capability on your own. That's a company thinking about privacy as an option :)

R

Read More
Management, Info System Security, Systems Russell Mickler Management, Info System Security, Systems Russell Mickler

Losing a Cell Phone is a Data Breach

Technology Consultant Russell Mickler of Vancouver, WA explains how losing a cell phone constitutes a potential data breach of unencrypted personal private information (PPI), and how small businesses need to respond to it.

Just Another Bad Day At The Office ...

The other day, a business associate told me a terrible story about losing his cell phone. He placed it on the roof of his car and it probably slid off and flew into the street. I was empathetic, but at the same time, I asked a critical question: "Did you perform any business on this phone?"

He answered that he did. I started asking a bit more. "Do you think any of the emails on your phone had names of people, personal private data like addresses and phone numbers, and account information with your institution?"

Sadly, his smile began to fade as he started to see where I was going with this line of reasoning. "My friend, you've got a data breach situation on your hands."

... Just Got a Whole Lot Worse

A data breach is a condition where unencrypted Personal Private Information (PPI) is suspected of being compromised, or, falls out of the control of its owner.  

Most States have data breach laws that require reporting and disclosure of a data breach affecting their citizens. If you're a small business in Washington State, you're subject to RCW 19.255.010 governing data breach reporting to affected Washington citizens.

Unfortunately, there isn't a national data breach law: each and every state has their own standard which makes it very difficult to do business in this country. Example: if you're a Washington State company that does business with consumers in the State of Oregon, you're also governed by the ORS 646A.600 Oregon Consumer Identity Theft Protection Act. You'd have to respond to both states and their requirements equally.

Cell phones and other mobile devices (tablets, laptops, wearable computers) are unencrypted storage devices and might contain classified forms of PPI covered in the statute.

Unencrypted means that the data on the hard drive of the device isn't scrambled so that somebody can't access it, and sadly, adding a passcode or a fingerprint access to your cell does not encrypt the contents of the device.

Generally, in the State of Washington, if your mobile device contains email, notes, documents, or contact information that draws a line between a first and last name and:

  • Social Security Number
  • Driver's License Number or Washington Identification Card Number
  • Account Number or Debit Card Number (in combination with any access password or PIN)

As a remedy, Washington State requires that you provide immediate notification to all affected parties in one of many possible forms for a breach consisting of less than 500,000 records:

  • Written response
  • Electronic notice ... "consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. Sec. 7001"

And the law also specifically addresses the company's liability to consumer civil action to recover damages, exposing the company to lawsuit for things like identity theft. (And BTW: do note that these laws are a baseline, not covering anything federally recognized as classified forms of information like HIPAA, FERPA, or GLB.)

But Think Bigger Than the Law - Think About Your Social Obligation

The letter of the law is fairly specific, limited, and even provides exclusions for public information that could be obtained from governments and other sources.

But think about it. What if it was your PPI, your kid's PPI, the private checking account information of your company (although it didn't have a PIN or passphrase)? Wouldn't you want to know about the data breach so that you could take reasonable precautions to protect yourself?

It's kind of like the recent automaker testimonials before Congress lately. If you knew about something but didn't take action - didn't go above the letter of the law and embrace the spirit of the law - doesn't that violate social obligation? Ruin public trust? If any form of sensitive information fell out of your control, shouldn't you be notifying those affected, and keeping a record of your social response so that you can justify your transparency and defend yourself from civil litigation, or, embarrassing allegations of concealing your negligence?

What's worse: admitting to the problem, taking ownership of it, and being seen as a leader to accept responsibility and seek remedies? Or, being caught in a cover-up? Or have somebody somewhere else damaged because you didn't take reasonable steps to notify them of the breach?

Preventative Measures

Okay, how can we be proactive about this stuff? Make sure it doesn't happen in the first place? 

  1. Have a Security Policy. A document from your executive management that describes what your company does during a data breach and how it will respond. This document will demonstrate management's awareness of their obligations as custodians of PPI.
     
  2. Have a Data Classification Policy. A document that classifies certain kinds of information within a company as being more or less sensitive, and dictates the kinds of controls and accessibility it should have. Example: this policy should state that SSN's, account numbers, WA Drivers License Numbers, and access codes are restricted forms of information, and should never be transmitted out of an encrypted state or to a mobile device. Ever. This document will demonstrate management's specific instructions on how to handle classified forms of PPI.
     
  3. Training. You must communicate your intentions and train your staff so that they understand the risks and obligations taken on by your firm, and, how data breach affects them as individuals.
     
  4. Audits. Periodically review the Technical Controls that enable these policies. Review cell phones of employees. Put in the necessary technical precautions to prevent 

These are best-practice approaches to illustrating management's intention, recognizing their obligation, proactively identifying what forms of information should be classified and how they should be treated, training staff, and auditing compliance.

Without these instruments or practices, the company is at best a poor custodian and at worse negligent, seriously exposing their firm to civil action from consumers damaged by identity theft.

R

Read More