Been in technology for 22 years Westinghouse Senior Manager at Clifton Gunderson-7th largest CPA and consulting firm in the U. S. Partner / Director in Kenneally and Company s technology consulting practice
Major data breaches in 2014 ebay Michaels Stores Bank of America Home Depot P. F. Chang s
The Outlook for 2015 Retailers will harden their systems with chips Health care breaches will persist Business leaders are being held directly accountable for data breaches Employees and negligence are the leading cause of security incidents More hackers will target cloud data
How do you know?
52 percent of small businesses had NO basic cyber security strategy While 85 percent of those owners said they felt their companies were safe from cyber threats 77 percent had no formal written Internet security policy
Of the 621 confirmed data breach incidents Verizon recorded in 2014, over 30% of these incidents were at entities with fewer than 100 workers. Cyber attacks on small businesses with fewer than 250 employees represented over 30% of all attacks in 2014, up from 18% in the prior year. Of all the attacks the report studied, it found 96 percent were not difficult to achieve and 97 percent were avoidable.
Local CPA and accounting firm Did not have a proper data backup rotation of media Lax anti-virus software Ransomware / CrytoLocker Encrypted ALL of their server and workstation data Word documents Excel spreadsheets PDFs Quickbooks data files
Virus removal and remediation attempt Contact Russian hacker via hacker web browser and email Pay $300 ransom using Bitcoin wallet Received key / Only unencrypted 80% of the firm s files Services and fees close to $2,000 (not including billable down time costs)
Internet and local network security Poor data backup strategies / Disaster recovery Remote access / Employees in the field / Cloud computing Smartphones Disgruntled employees
Don t take it personal on the Internet, you are just a number (IP address) Even a small amount of personal data or credit information can be aggregated and sold for profit Bored and tech-savvy teenagers now have access to hacker tools (We are not just dealing with Dmitri from Ukraine anymore)
Business-class firewall hardware device (IT CAN NOT be a Linksys router from Walmart or your ISP s Internet modem) Business-class anti-virus /anti-malware (Free is NOT better, it s worse!!) Lock down your wireless Internet (Get a guest wireless network that is separate from your office wireless for visitors to use for Internet access) Spam detection and removal software Internet content filtering (Your employees are less likely to get you in trouble if they can t get there to start with) Use complex passwords that are forced to change on a regular schedule (Password1 is not a good password) Educate your employees (Maybe I should not click on the web link in that FBI email. Why is the FBI contacting me via email anyhow? Hmmm!!!)
You should have a local and automatic backup system with a proper rotation of media. (Manually copying files to a flash drive once a month is NOT good enough) Off-site / encrypted backup to a cloud provider Server and crucial workstation imaging software for fast disaster recovery RAID (Fault tolerance of your data drives on servers AND workstations) Test your data backups regularly (You will never realize just how important your data backup is until the day that you need it)
Regular security and Internet browser updates for their computing devices Local firewall software for when browsing the Internet off-site (Again, FREE is not better) No public wireless (Use personal Internet hot-spot) VPN (virtual private network) when accessing company servers and files remotely Eliminate and restrict actual data on the local computers (App servers) Hard drive encryption on notebooks and mobile computing devices
Use local cellular data plan rather than public wi-fi access Password protect & autolock your device Limit your use of document sharing / sync apps (Sugarsync, Box.net) Smartphones should be owned by and used for the company ONLY! Use remote find and/or remote wipe capabilities
Tighten network and computer file security permissions / Restrict access to only the information that they need Computer monitoring software Disable computer accounts and access before you make them an ex-employee Security cameras can help with fraud, theft and productivity Restrict physical building access (security systems with key card or key code access)
When considering web security there are two pieces that matter: The first is anonymity: how to keep people from knowing what sites your employees are visiting. The second is privacy: how to keep people from accessing the information your employees send.
Some basic strategies for safe and private web browsing: 1.Spam email filtering 2. Internet content filtering 3. Use private browsing options for your browser 4. User alternate web browsers 5. VPN (virtual private network) web browsing
Meet professional compliance standards (HIPAA, PCI-DSS, DoD, Federal contracts) Discover previously unknown security threats Avoid damage to business reputation (Don t think New York Times or USA Today Think Baltimore Sun, The Daily Record or the Aegis) IT security breach remediation costs lots of money (Its less costly to be proactive than it is to be reactive)
Professionals hackers are available for hire: https://hackerslist.com/ Disgruntled employees hacking company email accounts Competitors accessing your bids on your servers Thieves accessing your financial accounts
How do you know?