Dom Chorafakis is the founder and principal technical consultant with Akouto, a cyber security consulting firm. Dom is actively engaged in cybersecurity research and development and has written this blog about how organizations can protect themselves from cyber attacks. Dom and I are co-presenting a webinar on cybersecurity on January 24th titled “Don’t Get Hacked and Stay Cyber Safe”.
There is no shortage of stories in the media about large corporations being hacked, resulting in the exposure of private or confidential information and huge financial losses. In the last few months alone, we’ve learned of a staggering $300M loss by FedEx resulting from a breach, the exposure of private records for 143 million Equifax customers, and organizations facing penalties like the $700K fine imposed on Hilton for lax cybersecurity and the mishandling of a breach. But what about smaller organizations? Are they also under siege or do they benefit from flying under the radar of criminal hacking groups?
According to a survey of small business owners, over two thirds of them believe they are not at risk of a cyber-attack because they are not big enough or interesting enough for hackers to take notice. Unfortunately that perception could not be further from the truth. Studies conducted by research institutes and cyber security firms show that small organizations are increasingly the target of cyber-attacks, and in fact more than half of all small and medium sized businesses in North America have already been victims. These victims have included sport organizations in Canada. In late 2016, the Canadian Centre for Ethics in Sport was hit by a cyber attack that appeared to target the global anti-doping movement.
Cost to Organizations
The cost to small organizations can be devastating. According to the National Cyber Security Alliance, up to 60% of small businesses are unable to sustain operations 6 months after a successful cyber-attack. There are a number of reasons for this, including the high cost of downtime and lost revenue, costs to repair and recover IT systems, blacklisting of hacked websites and their domains by search engines like Google, as well as fines and other costs resulting from failure to protect employee or member data.
With the proceeds of cyber-crime estimated at $1 Billion in the last 12 months, there’s very little hope that things will get better any time soon. Despite the significant rise in cyber-crime over the last few years, the majority of breaches are preventable and the damage of a successful attack can be limited with the right combination of training, cyber security policies and technology.
Cyber security is ultimately about protecting the confidentiality, integrity and availability of your information. Whether it is the files on your laptop, the messages in your hosted email inbox, or the membership data in your management application, the challenge is to make sure that information does not fall in the wrong hands, is not somehow altered or corrupted, and is available to the people who need it, when they need it.
Your information and the ecosystem in which it exists are constantly evolving: membership information is updated, hundreds or even thousands of email messages are exchanged daily, applications and data move from internal servers to the cloud, new software is installed and existing applications are updated; the digital assets your organization depend on are endlessly churning. Part of the challenge in protecting information in this environment is that most small and medium sized organizations don’t have a purposeful cyber security strategy in place. Installing anti-virus and doing a backup once a day is simply not enough. Cyber security needs to be an ongoing process that is actively managed and updated to reflect the changes to your information, its ecosystem and evolving threats. A good strategy includes the following five components.
Identify your assets
In this step you identify everything that needs to be protected. This includes all of the data and applications that are critical to your organization and information that is private or confidential. This would include:
- Accounting and business files
- Contracts and legal documents
- Employee, volunteer and member data
- Email (local copies and in the cloud)
- Website content
- Application databases
Identify threats and risks
Once you have identified all of the assets that need to be protected, each one must be evaluated individually to identify specific threats and risks that could affect it. For example, if your organization uses a database to manage membership information, threats may include:
- Information in the database being lost due to hardware failure
- Information in the database being deleted by a disgruntled employee
- Information lost due to your hosting provider going down or out of business
- Database files being encrypted by ransomware
- Hackers gaining access to confidential data through software vulnerabilities or malware
Apply security controls
Once assets and threats have been identified and prioritized, you need to select and deploy safeguards to protect your organization, starting with the biggest risks to the most valuable assets. Continuing with the example of a membership database, safeguards may include:
- Setting up automated database backups including one on-site and one off-site copy
- Using encryption to protect private or confidential information stored in the database
- Setting up a procedure to monitor software for vulnerabilities and apply patches as soon as they are available
- Setting up automatic exports of data that is hosted in the cloud
It is important to note that this phase also includes monitoring of any safeguards you put in place. For example, someone needs to periodically check application logs to see if there is suspicious activity that may indicate a hack or unauthorized access, and backup files should be periodically tested to see if they are working properly.
Detect and respond to incidents
No matter how many security controls are put in place, hackers will try to circumvent them and legitimate users will make mistakes that put your information at risk. It’s just as important to have policies and plans on how to detect and respond to security incidents as it is to implement safeguards to prevent them.
Timely detection of security incidents is a combination of regularly auditing assets and safeguards (for example checking log files, user accounts, security scans and other relevant information), training staff, and using technology like Intrusion Detection Systems. These detection efforts are often overlooked even by large organizations and as a result breaches go undetected for an average of 5 to 6 months making the scope and cost of the damage far greater than it needs to be.
Anticipating that security incidents will occur, you need to have a plan in place on how to respond to them once detected. Elements of a response plan include:
- Names, roles and responsibilities of your cyber incident response team
- Who should be notified when an incident is detected
- What steps should be followed when an incident occurs to appropriately assess it, collect the required information and take corrective action
- What steps must be taken to notify and protect users impacted by a privacy breach
Review and adjust
The final component of a good cyber security strategy is to review and adjust it on an ongoing basis. There’s no formula for this, the frequency and scope depend on several factors including the nature and sensitivity of the information being protected, government or industry regulations, complexity of IT infrastructure and many others. At a minimum your security strategy should be reviewed:
- Periodically at an interval that makes sense for your organization, for example every 6 months;
- Whenever there is a change to the nature or scope of the information being protected or the technology around it; and
- Every time there is a security incident.
For many small and medium organizations, all of this can sound too complicated or too time consuming to take on, but it doesn’t have to be. Ignoring the threat is simply no longer an option, governments around the world, including Canada, are enacting legislation holding organizations responsible for protecting the confidential and private information of their employees, volunteers, members and customers.
In Canada, the Department of Public Safety and Emergency Preparedness and the RCMP both provide free online resources to help smaller organizations get started with cyber security. With the threats and technology constantly changing, your organization could also benefit from working with a cybersecurity professional to bring an outside perspective and help develop a plan that is tailored for your organization’s budget and resources.
We’ll be exploring how hackers breach organizations and we will provide you with practical information and resources you can use to prevent these breaches in our upcoming webinar titled “Don’t get hacked and stay cyber safe” on January 24th at noon EST. You can register at this link.