Back in February, the Mandiant security company exposed and documented six years of cyber espionage, unremitting online intellectual property theft, and (let’s face it) cyberwarfare conducted by a unit of China’s People’s Liberation Army (or an entity closely associated with it) against some of the biggest corporations in the West, including 115 U.S. blue chip firms. As breathtaking and sustained as these attacks are, they are but a single campaign in a continual and widespread cyberwar. Symantec Corporation reported in May 2012 that its software had blocked more than 5.5 billion malicious attacks the year before, and in 2012, U.S. Navy sources reported seeing “110,000 cyber attacks [against Navy networks] every hour, or more than 30 every single second.” In August of 2012, NSA director and commander of the United States Cyber Security Command General Keith Alexander cited a highly controversial estimate from McAfee Security pegging the global cost of cyber attacks at $1 trillion a year.
In response to the onslaught, the biggest corporations have taken costly steps to harden their cyber defenses. That’s a good thing, but it has led attackers to turn their attention to softer targets, namely businesses of small and medium size, businesses that lack the personnel and funding resources to create state-of-the-art cyber defenses.
Scary and depressing? Yes, but buck up. There are low-cost and no-cost measures even the smallest businesses can take to provide very real protection.
Understand that both the threat and the defense against it come down to just two elements: your cyber stuff (software and hardware) and your people. Even the smallest business can make both more secure.
Start with your software. First, upgrade all the computers in your shop to the latest OS—not just to get the newest bells and whistles or even to benefit from improvements in stability, but mainly because the newest OS iterations are almost always the most secure. After upgrading, configure all security updates for automatic installation. Malware evolves continually. Security patching struggles to keep up, and automatic updating keeps your defenses as up to date as your software vendor manages to be. Of course, you also need to install antimalware software and set that to update automatically as well. Finally, use an e-mail provider that offers virus and phishing scans. Sure, you can—and most definitely should—install on each of your computers antimalware software that scans incoming and outgoing messages. It is, however, more effective to scan email that has already been filtered by your provider. This dual approach will increase the effectiveness of your defenses while decreasing the stress on you and your employees.
Next, turn to your people. Determine who among your employees should be entrusted with the “keys” to your company’s servers and computers—the administrator privileges, the highest level of access, which allows the installation of new software and the changing of configuration settings. By limiting such privileges to the fewest possible employees, you reduce the number of individuals onsite who can (accidentally or purposely) upload malicious software or configure a system to reduce security.
While administrator privileges should be jealously guarded, every employee must be trained in safe computing practices. Since most advanced persistent threat (APT) attacks require some user to surf to an illicit website, to open a malicious attachment, or to click on a booby-trapped link in an e-mail, educate employees about the dangers of social engineering.
Set clear policies on the use of laptops, tablets, and mobile devices outside the office. Restrict the use of flash drives and the like. If employees must travel, consider providing them with laptops or tablets that carry the bare minimum of data, if any at all. Employees can access needed data files in the cloud, without downloading anything onto the machine. Stolen portable devices are a leading cause of critical data breaches. (However, do educate employees about the dangers of accessing cloud-stored data via unsecured wireless networks in airports, cafes, and so on.)
Insist that everyone use passwords—strong passwords seriously guarded. Provide appropriate training.
You may find it helpful to restrict web surfing on company computers and smartphones. Restriction may come in the form of a list of off-limits websites, or you may wish to invest in a web proxy to filter either specific web addresses or categories of addresses.
Finally: Don’t just instruct your people. Inspire them. Ensure that everyone feels like a member of a team on which the security and welfare of one is the security and welfare of all.
These are the lowest-cost and most cost-effective basic security measures your small to medium business can adopt. If your business is sufficiently complex to warrant even a small IT staff, you may also want to take steps to reduce the number of gateways by which you connect to the Internet and to ensure that all gateways are managed by one IT person or group. The fewer points of entry and exit, the easier it is to provide security. In addition, since most APT attacks begin with the compromise of just one networked asset (PC, laptop, tablet, or smartphone), reduce the number of devices that have administrative access to your company’s servers.
Government and military agencies seeking the highest possible level of cyber security “air gap” computers that store their most sensitive data. This means putting all drop-dead confidential or proprietary data on computers that are not physically or wirelessly connected to the Internet or even to the company intranet. Is this inconvenient? You bet. Is it necessary? Weigh the consequences of a data breach against the inconvenience of data non-availability online. Then answer the question for yourself.
Believe it or not, there is an upside to all of this fully justified and absolutely necessary paranoia. Providing your employees with the software tools they need to be secure and educating and inspiring them to defend the data on which the welfare of the enterprise depends enhances group identity and gives everyone in the organization a very personal stake in its collective success. Call it security—or call it team building.
June 13, 2013