Working man blues
Earlier this week the Federal Trade Commission (FTC), the self-proclaimed consumer protection watchdog, launched a new website aimed at helping small businesses buff up cybersecurity practices. The goal is to assist modest-sized organizations with limited resources keep operations running smoothly, even in the absence of a full-blown security department (or any security department at all). You’ve heard this statistic before, yes?
“60 percent of small businesses that suffer a cyber attack will go out of business within six months.”
It’s actually untrue, likely concocted by some marketing team that wanted to advance the idea of how important it is to protect one’s business from cybercrime and data loss. Irrespective of this contrived “data point,” cybercrime is a growing industry, and even without the help of cybercriminals, the more digital data organizations store, the more probable it is that some form of loss or misuse will occur.
I keep my nose on the grindstone
In many ways, small businesses are just like big businesses: They want to acquire and service customers. They collect customer and prospect data to every extent possible. But when it comes to storing or using that data, they are often dependent on niche tools that aren’t as security-conscious as the Amazons or SalesForces of the world. Very small businesses—one- or ten- person proprietorships—may depend on consumer grade, low cost or free tools that themselves don’t have an abundance of security baked in. Think of your local bakery or coffee shop, that quaint B&B by the lake where you stayed that one time, the artists’ co-op from which you buy birthday and wedding gifts because what the co-op sells is unique and personal. Those businesses often don’t have the funds—or even the inclination—to buy and use the most secure products and services to manage customers or transactions, and don’t have an IT department, let alone on-staff security experts, to guide cybersecurity practices.
What small businesses do have, though, is data. Presumably, they don’t have as much data as the Amazons or SalesForces of the world, but the data they do have is just as sensitive and important to secure.
The new small business-focused website is a great resource, but it’s not just a great resource for small businesses. The information the FTC provides over several sections of the website is an excellent reminder or checklist for larger organizations, too.
I work hard every day
Every major security breach seen to-date has included failings in security fundamentals. Despite best (or stated) efforts, companies of all sizes and resource levels routinely fall down when it comes to critical controls, starting with asset inventory, restricting data access, and setting up secure configurations 100% of the time, then progressing through regular vulnerability testing, maintaining adequate data backups, and continuous monitoring.
On its website, the FTC shrewdly advises businesses to “Start with Security.” It’s something the security industry talks about frequently. As is well known, however, many instances occur when security isn’t the first thing business colleagues think about when developing a new product or application, or even when buying new technology. Admittedly, maintaining control over what is added or implemented is easier in a small business because it’s less likely that individual stakeholders will be excluded from major business discussions. However, by no stretch does this mean that small businesses experience an easier time instituting security solutions.
Regardless of your organization’s size, the FTC’s guidance is sound:
“When managing your network, developing an app, or even organizing paper files, sound security is no accident. Companies that consider security from the start assess their options and make reasonable choices based on the nature of their business and the sensitivity of the information involved. Threats to data may transform over time, but the fundamentals of sound security remain constant… you should know what personal information you have in your files and on your computers, and keep only what you need for your business. You should protect the information that you keep, and properly dispose of what you no longer need. And, of course, you should create a plan to respond to security incidents.”
I might get a little tired on the weekend
The Commission then outlines these ten steps small businesses can take to make security part of routine operations:
- Start with security
- Control access to data sensibly
- Require secure passwords and authentication
- Store sensitive personal information securely and protect it during transmission
- Segment your network and monitor who’s trying to get in and out
- Secure remote access to your network
- Apply sound security practices when developing new products
- Make sure your service providers implement reasonable security measures
- Put procedures in place to keep your security current and address vulnerabilities that may arise
- Secure paper, physical media, and devices
Subsequent pages detail actions small business can take to protect sensitive information, including:
- Know what data is collected and where and how it is stored
- Review collection, storage, and retention policies
- Patch systems and software as soon as possible
- Back up data (and test those backups)
- Implement two-factor authentication
- Use encryptions and firewalls
- Secure wireless access
- Limit data and network access
One area of advice that might meet some disagreement from the security community is the FTC’s guidance on passwords. In this section, the FTC recommends: “Use strong passwords. The longer, the better – at least 12 characters. Complexity also helps strengthen a password. Mix numbers, symbols, and capital letters into the middle of the password, not at the beginning or end.”
NIST, the U.S. Department of Commerce’s leading authority on technology use, recently revised its guidance on passwords, writing that previous password recommendations, notably, the recommendation to “choose passwords constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol,” is not as beneficial as formerly thought. NIST continues to say that complexity requirements, as a matter of fact, have a negative impact on usability and memorability and that a “somewhat simpler approach, based primarily on password length” is recommended. (It seems to this author that twelve characters aren't sufficiently long, but we’ll leave that argument for another date and time.)
After I draw my pay
If your security team is large, well-funded, and has ample resources to cover all the security basics, it’s still likely that the fundamentals are not adequately addressed. If history is any indication, major breaches at leading companies will continue as a result of lack of attention to critical controls. Security “basics” are not a new concept, nor are they the sexy part of the job, but there’s a reason they’re the basics: they are the foundation upon which all other security tools, techniques, and processes are (should be) built. The basics are just what they claim to be: the most elemental part of a security program.
This new FTC website and guidance should serve as a reminder to security teams of every ilk that breaches can and will happen. The most successful organizations are those that proactively put effort into foundational elements. Doing so many not be as easy as a checklist, but it’s a good place to start.