Protect Your Small business from a Cyber Attack: Start ... · Protect Your Small business from a...
Transcript of Protect Your Small business from a Cyber Attack: Start ... · Protect Your Small business from a...
Protect Your Small business from a Cyber Attack: Start with the Basics
Presenter: Daniel Eliot, Manager of Technology Business Development, Delaware SBDC
10/11/2017
Small Businesses are a Target
6139
61% of data breach victims have
<1,000 employees
The SBA has found that almost half of small businesses have been the victim of a cybercrime at some point, with the average cost of an attack at $21,000.
81% of hacking-related breachesleveraged either stolen and/orweak passwords as point ofentry
81
19
Source: 2017 Verizon Data Breach Report
• Raise awareness of cyber risk within Delaware’s small business community.
• Help businesses manage the threat and impact of cyber interference.
• Foster innovation in cyber security
Program Purpose
Why Create a Security Plan?
• Cyber is: Behavioral, physical, technological– S E C U R I T Y
• The unknown is expensive • Increased scrutiny and liability from buyers,
business partners, etc.• You want to protect your brand, your customers,
your employees, your buyers, etc.• Demonstration of reasonable effort to protect
your data and systems. Can you?
www.delawaresbdc.org
The Small Business Cybersecurity Workbook
• To provide small business with a starting concept for creating a Written Information Security Program or (WISP).
• Defining a reasonable program for handling cybersecurity within a small business.
• This is just a starting point. It is meant to get small businesses thinking in a security mindset.
www.delawaresbdc.org
The Small Business Cybersecurity Workbook
• Based off the NIST Framework
• Concept is simple
• Common language which all understand
www.delawaresbdc.org
Section 1: IdentifyA Risk-Based Approach
Know Your Company
-What do you collect?
-What sensitivity level?
-Where’s it located?
-Who has access to it?
-Outside consultant?
Physical Security
-Desktops
-Laptops
-Mobile Devices
Operating Systems
-Which ones do you
have?
-Who has them?
-How are they
maintained?
Software
-inventoried and
current?
www.delawaresbdc.orgPages 8-11
Section 2: Protect
www.delawaresbdc.orgPages 12-18
• Access: Usernames and passwords• Data Segregation• Timeouts and lockouts• Firewalls and patching• Training and awareness
Section 3: Detect
www.delawaresbdc.orgPages 19-20
• Are antivirus and antimalware installed and up-to-date on all devices?
• Looking for unusual activity• Creating an open environment
Section 4: Respond
www.delawaresbdc.orgPages 21-22
• You have to have a plan• Document what is happening• Isolate and protect• Move swiftly and obtain
assistance• Document actions taken
Section 5: Recover
www.delawaresbdc.orgPage 23
• Getting back to normal
• Move swiftly and obtain assistance
• Communications• Document
Date of Incident: March 22, 2016
Explanation of Incident: Our Secretary’s system was infected with a Cryptolocker/Ransomware virus.
How Discovered?: She discovered the screen message demanding payment as 8:15 AM.
How Remediated?: We called our IT Consultant who, fortunately, had backups of her local file from the previous week. The Consultant wiped the system clean, installed a new operating system and transferred the backup files to the system.
Data Affected: No client information was stored on the system. Letterhead and templates were maintain in the My Documents folder, which is backed up weekly.
Steps Taken To Close Vulnerability: We all changed our access passwords for systems and applications as the source of the attack was not determined. The other personnel in our office were informed of the attack and reminded to use caution accessing personal email and due care with following links or downloading any information.
House Bill 180
• August 24, 2017, Governor John Carney signed into law the first update to Delaware’s data breach law in 12 years.
• Enacts new requirements for Delaware’s businesses for protecting personal information.
• If you conduct business in Delaware and own, license or maintain personal information on Delaware residents, you are required to “implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.”
www.delawaresbdc.org
House Bill 180
If the data I own, license or maintain is hacked, what is my obligation?
• You have 60 days to provide notice to affected individuals unless you can determine after an appropriate investigation that the breach is “unlikely to result in harm.”
• If the data breach includes Social Security numbers, residents shall be offered credit monitoring services at no cost to the residents for a period of one year. If the effected number of Delaware residents exceeds 500, the Attorney General is to be notified.
• If encrypted data is breached, you don’t have to provide notice unless the encryption key is also breached.
www.delawaresbdc.org
What Counts as Personal Information?
To be personal information, the categories listed below must be associated with a Delaware resident’s first name or initial and last name in combination with any of the categories below with the required password or security code
Social Security number Driver’s license number Financial account number Passport Number Username or email address in
combination with a password or security question
Medical information Health insurance information DNA profile Biometric data used to access
information An individual taxpayer
identification number
6 Del. C § 12B-100
Cyber Risk Assessment Tool
Located at: http://delawaresbdc.org/special-programs/datassured/
Online Video Series
Located at: http://delawaresbdc.org/special-programs/datassured/
Additional Web-Based Resources
Located at: http://delawaresbdc.org/special-programs/datassured/
www.delawaresbdc.org
www.delawaresbdc.org
“There are only two types of companies – those that have been hacked, and those that will be”
- Robert Mueller, FBI Director 2012
www.delawaresbdc.org
Questions?
The Delaware SBDC Network is funded in part by the U.S. Small BusinessAdministration (SBA), Defense Logistics Agency, State of Delaware, and other private
and public partners. Nationally accredited by the Association of SBDCs.
Helping Delaware’s small business community secure their critical data and
infrastructure
Daniel EliotManagerTechnology Business DevelopmentDelaware [email protected]