In today’s bustling world one would be hard pressed to walk into a business without some type of technology present. Even a small town café usually has a credit card reader, a website, a cash register, and the occasional wireless internet capability. Then there are larger department stores with online shopping options, store credit cards, rewards programs, and smart cash register terminals that hold all kinds of information about their customers from phone numbers and addresses to purchase histories and preferences. These are just a few examples of retail businesses. Industries of all types small and large also must maintain and secure many types of different hardware, software, networks, and web technology depending on their individual mission and infrastructure. Personal and proprietary business information is everywhere! A report from the CSRIC regarding Cyber Security’s best practices of 2010 noted “security incidents from federal agencies are on the rise, increasing by over 400 percent from fiscal years 2006 to 2009 (The Communications Security, Reliability and Interoperability Council, 2011).” Protection of information cannot be an afterthought of a business operation. It only takes one breach for a company to lose money, resources and most importantly customers. A survey conducted by the Ponemon Institute reported “more than 83% of respondents believe that the individuals affected by a data breach lost trust and confidence in the organization’s ability to protect their personal information. These perceptions often result in the loss of customer loyalty (Ponemon, 2008).”
Lack of Cyber Security Guidance and Policy
Unfortunately, practicing cyber security is not as easy as patching a server or counting on the IT department and third party software vendors to ensure all vulnerabilities have been mitigated. During cyber security assessments performed by the National Security Test Bed from 2004 to 2006, the most common and easily attackable vulnerabilities were clear text communications over networks, use of default user accounts and weak or documented passwords, poor authentication practices, unpatched components, and misconfigured firewalls (Fink, Spencer, & Wells, 2006). All of these vulnerabilities have one commonality – they require user or administrator action to resolve. Education of IT professionals in this realm is lacking. In 2005, the President’s Information Technology Advisory committee estimated that “there are less than 250 active cyber security or cyber assurance specialists in the United States, many of whom lack formal training or extensive field experience (President’s Information Technology Advisory Committee, 2005).” What about user education and responsibility? The IT department cannot ensure the user does not document their password, leave their screen unlocked, lose a company laptop or take proprietary company information outside of the building. In order to successfully secure information, every employee must be afforded cyber security training and guidance and understand company policies as well as non-compliance consequences for violations. The single most important cyber security vulnerability today is the lack of employee training, guidance and policies regarding information assurance protection.
A Plan for Large Businesses
It would be difficult for a business to give everyone the same level of cyber security training. Each employee has their own role in the organization and their own role in protecting systems and information. Larger businesses could create separate and unique training and policies for users versus administrators. One common practice of large corporations is to conduct this training online on an annual basis. The problem with online or “computer based training” in many cases is that it is not tailored to the individual employee’s work tasks and is rather vague on policies and practices of computer, information and cyber security. How does the account manager in the finance department tailor this training to their specific job and use of technology? Will he or she know the dangers of using the default user account with newly installed software? Will clicking through some online slides stop the front desk manager from writing her password down on a post-it note? Will the system administrator feel confident that the new server he or she built is patched properly and ready to be added to the network? Statistically, large businesses are still having an increase in breaches due to these types of behaviors by employees (Fink, Spencer, & Wells, 2006). Training must be tailored to the position and conducted on the job when possible and employees should be held accountable for lax security practices.
The general recommendation by the National SCADA Test Bed to mitigate overall problems with security awareness and training is to use a proactive security model. This model tracks security practices as a cycle or an ongoing process, highlighting the need to continually assess systems over the typical 10 to 15 year lifespan (Fink, Spencer, & Wells, 2006).
Considerations for the steps of the Proactive Security Model follow (Fink, Spencer, & Wells, 2006):
- · Map Architecture – What technologies are present in the business? How are they connected? Do these technologies connect to any outside sources?
- · Conduct a Risk Assessment – Going through the architecture, what vulnerabilities exist? What is the impact of a breach? What areas are extremely high impacts? Is there a plan in place in case of a data loss?
- · Digital Asset Identification – Conduct an inventory of the physical locations of digital assets. Are assets physically secured?
- · Profile Model – List assets in order of priority of protection. Identify critical assets
- · Identify and Remove Vulnerabilities – Patch vulnerabilities found during previous steps/inventories. Remove unused programs and services.
- · Standardize Policies – Review or create policies for the protection of all assets and specifically critical assets. Ensure policies are standardized and all employees understand compliance with policies is critical.
- · Incident Response – Logs/documentation should be kept during installation and recovery of systems. Log files should be reviewed on a regular basis to track possible breaches/security incidents.
- · Training – On the job training should take place on a recurring basis in accordance with policies. Training should be tailored for users and administrators. Leadership must set the example for strong security practices.
Small Business Approaches
Small businesses are lacking cyber security awareness and training more so than larger businesses that have more resources to devote to security (PRNewswire, 2010). In a study conducted by NCSA/Visa Inc. 47 percent of small business owners reported their employees had received no security training. The study also reported that only 43 percent of small businesses had a plan for responding to loss of customer data. Another alarming statistic from the study noted that 85 percent of small business owners surveyed thought they were less of a target for cyber crime than larger companies (Kinney, 2011). On the contrary, small businesses are more of a target for cyber criminals because criminals are less likely to be caught and information is in many cases unprotected and easy to access (Kinney, 2011).
The proactive security model (figure 1) could easily be tailored to a small business’ architecture. The best practice for any business to understand is to be proactive about security instead of reactive (Fink, Spencer, & Wells, 2006). The bottom line for any business is to make security a priority, part of the business’ mission and train employees on a regular basis. “Data protection is crucial to the success of a modern small business (Kinney, 2011).” The National Cyber Security Alliance has published simple practices for small business owners; a few key points follow (Kinney, 2011):
- · Train employees on cyber security policies and practices and include tips in company newsletters and/or website
- · Limit access to work networks from home computers and have policies for secure practices when using mobile technology
- · Clean out old data and dispose of it securely
- · Ensure all new software is patched and older software is updated and maintained
- · Educate customers on your cyber security policies and safe practices through regular e-mails or right on your website
Small business owners may not have the knowledge or resources on hand to train employees or manage technology securely and effectively. Likewise, larger industries such as utility companies or construction contractors may not have an interest in managing their own IT services and security. In this case there are outsourcing options. Outsourcing has benefits and drawbacks. Managers must weigh their options and decide what will work best for their business (Valacich & Schneider, 2011). Although outsourcing may handle the security of internets and intranets, software applications and data, employees will still need training on safe practices and company policies as much of the hardware and associated software will be located onsite and accessed by employees on a daily basis.
One example of the beneficial use of outsourcing is the Enbridge Pipeline Company, which manages countless miles of oil pipeline. Industries such as factories and plants are also great candidates for outsourcing because 70 percent of cyber threats are external as reported by the Columbia Institute of Technology (Powell, 2005). Along with the pipeline comes the management of the systems and software applications that keep track of this complex infrastructure. Putting out “systems security fires” was the last thing Enbridge management wanted to worry about. The company paired up with CyrusOne, a company that services many energy related businesses and specializes in building complex hosting facilities staffed with a myriad of IT experts (Powell, 2005). “Enbridge management sticks to strategic IT decisions while CyrusOne manages hardware failures and system optimization, memory allocation, and decisions to grow or shrink IT capacity (Powell, 2005).” Enbridge notes many benefits of the decision to outsource (Powell, 2005):
- · Assurance that IT best practices are applied to all outsourced systems and networks for a set price via a Service Level Agreement which also covers the cost of the ever-changing scalability requirements of IT infrastructure
- · System security is maintained through the use of proper firewalls, security patches and traffic audits as well as power redundancy and router configurations
- · Access to expertise without having to hire, maintain, or train new employees. Continuous reporting of data and application status also improves work-flow
While all of these benefits look appealing, Powell (2005) notes it is important to shop around and draft a contract exit strategy as not all outsource companies last or work out as positively as expected.
A small business can also benefit in similar ways as a large business like Enbridge has and for a significantly lower cost. The access to IT professionals and security experts as well as the benefit of being able to concentrate on the primary mission of the business and know that customer information is protected will cost less in many cases than one cyber attack incident. The same rules apply to small businesses for finding the right outsource company; shop around, get references from other professionals in your arena, and have an exit strategy prior to entering any agreement. Most importantly, a security training plan and security policies need to be present and applied on a regular basis as small businesses are big targets of cyber attacks and the most common breaches are due to lax security practices such as password complexity, network access, and default user accounts (Fink, Spencer, & Wells, 2006).
The single most important cyber security vulnerability today is the lack of employee training, guidance and policies regarding information assurance and protection. Statics show that cyber attacks are growing at an alarming rate. With the creation of new technologies at the same speed it is increasingly difficult for industry professionals to remain educated and also to ensure hardware, software, networks, and web transmissions are secure. The use of technology is prominent in business and most businesses would be inoperable and significantly behind their competitors without it. Companies hold important customer information and equally important business intelligence information in which the loss of can have catastrophic consequences.
There are however many solutions for businesses to apply to mitigate risks. Applying the latest patches to software, protecting passwords, and configuring software properly are some obvious options. All of the available solutions for risk mitigation require users and administrators to take action. Businesses can ensure these actions are taken by developing security training programs tailored to employees’ individual positions and job tasks. Equally important is the development and enforcement of cyber security policies and protocols. Leadership must set a positive example by following and enforcing rules and taking a proactive stance on security rather than reactive.
Large business’ can utilize the Proactive Security Model as a basis to create an ongoing security posture for the full lifespan of their systems. Many large businesses have robust IT departments and resources to create more secure use of technology. Small businesses have less resources to devote to information technology but and are at a larger risk for cyber attacks. There are many options for small businesses to increase security, train employees, and make security a normal part of operations.
Outsourcing is an option for those industries or smaller businesses that do not have the resources or education on staff to maintain a secure technological infrastructure. There are benefits and drawbacks to outsourcing but managers must weigh their options and decide the best course of action for their company. Although outsourcing may secure many of the businesses’ resources, it is important to train employees in secure practices as well as maintain and enforce up to date security policies for the protection of onsite technology resources and proprietary information.
Fink, R. K., Spencer, D. F., & Wells, R. A. (2006). Lessons Learned from Cyber Security Assesssments of SCADA and Energy Management Systems. U.S. Department of Energy.
Kinney, M. (2011, January 13). How small businesses can recognize Data Privacy Day. Retrieved September 16, 2011, from Staysafeonline.org: http://www.staysafeonline.org/blog/how-small-businesses-can-recognize-data-privacy-day
Ponemon, L. (2008). privacy breach Index Survey: Executive Summary. Ponemon Institute.
Powell, W. D. (2005). Outsourcing Helps Balance Data Security, Efficiency and Economics. Pipeline and Gas Journal , 30.
President’s Information Technology Advisory Committee. (2005). Cyber Security: A Crisis of Prioritization. Arlington: National Coordination Office for Information Technology Research and Development.
PRNewswire. (2010, October 27). Study Finds U.S. Small Businesses Lack Cybersecurity Awareness and Policies. Retrieved September 16, 2011, from http://www.prnewswire.com: http://www.prnewswire.com/news-releases/study-finds-us-small-businesses-lack-cybersecurity-awareness-and-policies-66372812.html
The Communications Security, Reliability and Interoperability Council. (2011). Cyber Security Best Practices. CSRIC Working Group 2A.
Valacich, J., & Schneider, C. (2011). Information Systems Today: Managing the Digital World. Edinburgh Gate, Essex, England: Pearson Educated Limited.