Protect Your Small business from a Cyber Attack: Start with the Basics

Presenter: Daniel Eliot, Manager of Technology Business Development, Delaware SBDC

10/11/2017

Small Businesses are a Target

6139

61% of data breach victims have

<1,000 employees

The SBA has found that almost half of small businesses have been the victim of a cybercrime at some point, with the average cost of an attack at $21,000.

81% of hacking-related breachesleveraged either stolen and/orweak passwords as point ofentry

81

19

Source: 2017 Verizon Data Breach Report

• Raise awareness of cyber risk within Delaware’s small business community.

• Help businesses manage the threat and impact of cyber interference.

• Foster innovation in cyber security

Program Purpose

Why Create a Security Plan?

• Cyber is: Behavioral, physical, technological– S E C U R I T Y

• The unknown is expensive • Increased scrutiny and liability from buyers,

business partners, etc.• You want to protect your brand, your customers,

your employees, your buyers, etc.• Demonstration of reasonable effort to protect

your data and systems. Can you?

www.delawaresbdc.org

The Small Business Cybersecurity Workbook

• To provide small business with a starting concept for creating a Written Information Security Program or (WISP).

• Defining a reasonable program for handling cybersecurity within a small business.

• This is just a starting point. It is meant to get small businesses thinking in a security mindset.

www.delawaresbdc.org

The Small Business Cybersecurity Workbook

• Based off the NIST Framework

• Concept is simple

• Common language which all understand

www.delawaresbdc.org

Section 1: IdentifyA Risk-Based Approach

Know Your Company

-What do you collect?

-What sensitivity level?

-Where’s it located?

-Who has access to it?

-Outside consultant?

Physical Security

-Desktops

-Laptops

-Mobile Devices

Operating Systems

-Which ones do you

have?

-Who has them?

-How are they

maintained?

Software

-inventoried and

current?

www.delawaresbdc.orgPages 8-11

Section 2: Protect

www.delawaresbdc.orgPages 12-18

• Access: Usernames and passwords• Data Segregation• Timeouts and lockouts• Firewalls and patching• Training and awareness

Section 3: Detect

www.delawaresbdc.orgPages 19-20

• Are antivirus and antimalware installed and up-to-date on all devices?

• Looking for unusual activity• Creating an open environment

Section 4: Respond

www.delawaresbdc.orgPages 21-22

• You have to have a plan• Document what is happening• Isolate and protect• Move swiftly and obtain

assistance• Document actions taken

Section 5: Recover

www.delawaresbdc.orgPage 23

• Getting back to normal

• Move swiftly and obtain assistance

• Communications• Document

Date of Incident: March 22, 2016

Explanation of Incident: Our Secretary’s system was infected with a Cryptolocker/Ransomware virus.

How Discovered?: She discovered the screen message demanding payment as 8:15 AM.

How Remediated?: We called our IT Consultant who, fortunately, had backups of her local file from the previous week. The Consultant wiped the system clean, installed a new operating system and transferred the backup files to the system.

Data Affected: No client information was stored on the system. Letterhead and templates were maintain in the My Documents folder, which is backed up weekly.

Steps Taken To Close Vulnerability: We all changed our access passwords for systems and applications as the source of the attack was not determined. The other personnel in our office were informed of the attack and reminded to use caution accessing personal email and due care with following links or downloading any information.

House Bill 180

• August 24, 2017, Governor John Carney signed into law the first update to Delaware’s data breach law in 12 years.

• Enacts new requirements for Delaware’s businesses for protecting personal information.

• If you conduct business in Delaware and own, license or maintain personal information on Delaware residents, you are required to “implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.”

www.delawaresbdc.org

House Bill 180

If the data I own, license or maintain is hacked, what is my obligation?

• You have 60 days to provide notice to affected individuals unless you can determine after an appropriate investigation that the breach is “unlikely to result in harm.”

• If the data breach includes Social Security numbers, residents shall be offered credit monitoring services at no cost to the residents for a period of one year. If the effected number of Delaware residents exceeds 500, the Attorney General is to be notified.

• If encrypted data is breached, you don’t have to provide notice unless the encryption key is also breached.

www.delawaresbdc.org

What Counts as Personal Information?

To be personal information, the categories listed below must be associated with a Delaware resident’s first name or initial and last name in combination with any of the categories below with the required password or security code

Social Security number Driver’s license number Financial account number Passport Number Username or email address in 

combination with a password or security question

Medical information Health insurance information DNA profile Biometric data used to access 

information An individual taxpayer 

identification number

6 Del. C § 12B-100

Cyber Risk Assessment Tool

Located at: http://delawaresbdc.org/special-programs/datassured/

Online Video Series

Located at: http://delawaresbdc.org/special-programs/datassured/

Additional Web-Based Resources

Located at: http://delawaresbdc.org/special-programs/datassured/

www.delawaresbdc.org

www.delawaresbdc.org

“There are only two types of companies – those that have been hacked, and those that will be”

- Robert Mueller, FBI Director 2012

www.delawaresbdc.org

Questions?

The Delaware SBDC Network is funded in part by the U.S. Small BusinessAdministration (SBA), Defense Logistics Agency, State of Delaware, and other private

and public partners. Nationally accredited by the Association of SBDCs.

Helping Delaware’s small business community secure their critical data and

infrastructure

Daniel EliotManagerTechnology Business DevelopmentDelaware SBDCdeliot@udel.edu