Skip navigation
1 2 3 Previous Next

Technology

195 posts

NCSS small.png

WHAT ARE THE CYBER RISKS TO MY BUSINESS?

 

Cyber risk can be defined as the risk of financial loss, disruption or damage to the reputation of an organization through a failure of its information technology systems. Information technology has fueled rapid growth to small businesses, which can help you -- reach more customers, tap into new markets, grow faster, and create more jobs. With that increased reliance on information technology and access to data, new risks to your businesses’ financial, customer data and reputation can occur. 

The process of cyber risk assessment includes identifying your organization’s important data (financial data, customer data, and intellectual property), potential vulnerabilities for the systems that store or handle that data, and the potential impacts to your organization associated with a loss of confidence, integrity, or availability to that data.

 

FACT 1: ASSESSING CYBER RISK

Assessing and managing cyber risk is no different than managing other types of risk. If you were to manage the risk to your business from flood damage you would -- identify the most important assets that could be affected; consider how vulnerable those assets would be to a flood; consider the likelihood of flooding in the area; and determine what responses make the most sense based on the corresponding costs of responding to that risk. (Eg: invest in measures to protect those assets, move the assets, transfer the risk through insurance, or accept the risk.)

 

FACT 2: RESOURCES

There are many available resources to assess cyber risk. How extensive to analyze risk – is based on a range of factors --- business priorities, regulatory standards or cost considerations. The National Cybersecurity Society provides a free survey that helps small businesses assess cyber risk called NCSS CARES (Cybersecurity Assessment and Resiliency Evaluation for Small Business). The assessment methodology was adapted from two main sources: The NIST Cybersecurity Framework and Carnegie Mellon’s Software Engineering Institute, CERT, Resilience Management Model.

 

FACT 3: NCSS CARES

NCSS CARES measures small business risk based upon the level of maturity of the business’ organizational cybersecurity and resiliency processes as defined by CMMI. CMMI (Capability Maturity Model Integration) is a process level improvement training and appraisal program, developed by Carnegie Mellon University. NCSS CARES can be found at: https://nationalcybersecuritysociety.org

FACT 4: INSURANCE

Assessing your cyber risk is an important consideration for any organization’s overall evaluation of risks. Many insurance providers are using an assessment to set rates for policies; therefore, an understanding of your risks and how your organization manages risk are a critical steps in ensuring your business is resilient. Begin now by assessing your risk through the NCSS CARES.

FACT 5: VENDOR AGREEMENTS

The American Bar Association is recommending all vendor agreements include a section on assessing the risks of an organization’s partners. NIST 800-171, Protecting Critical Unclassified Information in Non-federal Systems, is requiring contactors who do work with the government assess their risk and provide an affirmation statement that they have complied with addressing and mitigating known risks.

 

FACT 6: NIST CYBERSECURITY FRAMEWORK

The NCSS has mapped NCSS questions in the survey, NCSS CARES, to the cybersecurity framework. The mapping can be found elsewhere on our site.

 

RISKS

HERE ARE SOME RISKS TO CONSIDER:

  • Reputational
  • BYOD
  • Internet of Things
  • Lack of employee awareness/training
  • Social Engineering
  • Weak Passwords and the lack of 2 Factor Authentication
  • Unsecure website
  • Lack of data retention policy
  • Limited to no backups of critical data/systems

 

Download a PDF of this fact sheet.

 

 

Still have questions, need help?

Contact us at our “Ask-an-Expert” service, web@thencss.org or visit us at the link below.

 

 

©2018 National Cybersecurity Society, All Rights Reserved

www.nationalcybersecuritysociety.org

 

JOIN THE NCSS

Become a member of The National Cybersecurity Society today and learn more about how to protect your business from a

cyber attack.

 

 

About The National Cybersecurity Society

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education, awareness

and advocacy to small businesses. The NCSS provides cybersecurity education tailored to the needs of the small business

owner; helps small businesses assess their cybersecurity risk; distributes threat information to business owners so that they

will be more knowledgeable about the threats facing their business; and provides advice on the type of services needed to

stay safe online.

NCSS small.png

 

Your reputation depends on securely connecting to your customers

and suppliers via the Internet. Do you know how to create a secure

website?

 

STEP 1: HOSTING SERVICE

Unless you’re a technology security company, we don’t recommend you host your website on your company or

home server.

 

Purchase website hosting services from a commercial service provider. There are many available. Ensure the

company can support SSL/TLS encryption, security monitoring, and a back up copy of your website.

 

Commercial Website hosting companies have the ability to provide:

  • Availability – nearly 99.99% availability - meaning you’re always open
  • Flexibility – ability to expand when your business grows
  • Security – up to date security monitoring and patches aligned with industry standards
  • Data Backups – your website and website content will be backed up – another way to ensure you are resilient

 

STEP 2: ENCRYPTION

SSL/TLS are protocols used for encrypting information between two points. SSL Certificates are issued between

the two entities, usually between server and client, but there are times when server-server and client-client encryption

are needed.

 

By selecting the feature of SSL/TLS encryption, your company and customer’s private information such as passwords,

credit card numbers are encrypted. What that means, if someone were to hijack the data transmission the data would

be encrypted and the bad guys won’t be able to steal it or read it. Without this feature, your data is transmitted in the

clear, and anyone can read it, steal it or manipulate it.

 

Customers can buy with confidence, knowing their info is safe, and your website url will have the https:// qualifier,

meaning their web experience will be safe.

STEP 3: BACKUP

Most hosting companies provide a backup copy of your website content and the ability to restore your site to an earlier

version if you get into trouble. This is usually a standard feature – but check the plan to ensure you have this provision.

 

Ask how long it will take to restore your site to an earlier version. If you can be down for a day or two, then at least you will

know in advance. If you can’t be down for a day or two, select a service provider who can restore your site within your time

constraints.

 

STEP 5: DNS SECURITY

This is a premium service, but well worth the cost. Ever wonder if a hacker could interfere with your site and redirect

users to a site that looks just like your site, but they steal all of your customers and business? Domain Name Server (DNS)

converts your URL (www.howtoguide.com) to a series of numbers (an IP address) that a browser uses to locate a website. 

When you type a domain name into your browser, the DNS looks through a huge database to find the right IP address you

requested and directs your browser to the correct website content. DNSSEC or DNS Security stops hackers by securing

the look up process and verifying the visitor is actually arriving at your site.

 

Select DNSSEC as a service with your website hosting contract. This will improve performance, accessibility and security

by placing you DNS information in a secure location. The hosting company will place your DNS information in multiple

servers around the world, so visitors searching for your site can get connected to the closest server location for a faster

response. It eliminates the error, “website not found”, which usually happens when a server is slow to respond. With this

feature, hackers won’t be able to redirect your customers to their website to steal user names, passwords or credit cards

numbers.

 

STEP 6: ESTABLISH A LOGIN/PASSWORD

When you establish a website account, you will be asked for a user name and password. Simple, right? Not so simple,

your password shouldn’t be password! Passwords should be between 10-20 characters – the longer the password, the

harder it is for someone to crack.

  • Don’t use words or phases that link to who you are, where you have lived – street, city you were born, date you were

married, your business name, your business owner, kid’s names or birthdays.

  • Change your password every three months or when prompted by the hosting provider
  • The password you established should only be used for your website, don’t reuse passwords.

STEP 7: ASSIGN AN OWNER

Having a website owner or “system owner” is one of the critical steps in managing a website or any critical system or service.

He/or she can manage the account, keep up to date on the latest changes, and interface with the website hosting company.

He/she is responsible for keeping up-to-date records of changes made to the website, contract details, restoration details,

etc. He/she is the go-to person for keeping the website up and operational and interfacing with the hosting provider. This

can be a part-time job, but because it is such a critical function for your online business and reputation, it’s important to have

the responsibility defined and assigned.

 

STEP 8: TRAIN

Training employees is a critical step in ensuring your site is functional and resilient. Your employees can be the first line

of defense – by knowing your website, and whether it’s functioning as it should. They need to be advised they should notify

your website “system owner” and website hosting provider if the site is not functioning as it is intended.

 

Employees need to understand the value of protecting customer data, and to stay watchful and speak up. Customers who

call in and need help navigating the company website could actually be hackers trying to steal critical data. Employees need

to be trained not to give out critical information over the phone. Employees should also be advised not to write down

customer credit card data – but rather instruct the caller on how to enter the information on line.

 

At least every quarter remind/train employees on how to protect customer data, and to stay watchful of your critical asset –

your website.

 

DID YOU KNOW?

  • Compromised websites are used for a number of reasons:

    • To redirect traffic to a hacker’s spurious website; steal customer data including payment and email information; host

malware, spam pages, and/or porn; advertise illicit products; or simply vandalize the site.

    • Ransomware, a type of malware, has become the latest threat to the business community - whereby criminals lock

or vandalize the website and demand a ransom before the website can be put back into use.

    • Having an unsecure site offers criminals the platform to launch these crimes.

 

Download a PDF of this fact sheet.

 

Still have questions, need help?

Contact us at our “Ask-an-Expert” service, web@thencss.org or visit us at the link below.

 

©2018 National Cybersecurity Society, All Rights Reserved

www.nationalcybersecuritysociety.org

 

JOIN THE NCSS

Become a member of The National Cybersecurity Society today and learn more about how to protect your business from

a cyber attack.

 

About The National Cybersecurity Society

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education, awareness

and advocacy to small businesses. The NCSS provides cybersecurity education tailored to the needs of the small business

owner; helps small businesses assess their cybersecurity risk; distributes threat information to business owners so that they

will be more knowledgeable about the threats facing their business; and provides advice on the type of services needed

to stay safe online.

NCSS small.png

 

 

Every day in the news, we hear about data breaches. Are you concerned

your sensitive business, customer and supplier data is not protected?

 

 

STEP 1: DATA OWNER

All data needs someone in your organization to determine how valuable the data is that you want to protect. In the

cybersecurity business, we call that person a data owner.

 

The data owner could be the inventor who created your secret sauce, your CEO who devised your unique business

strategy, or the customers who depend on your services.

 

Not all data needs protection. The data owner can be called upon to determine which data to protect, how sensitive

it is, who can access it and use it and the severity/criticality of the data if it is lost or stolen.

 

It’s easy to say that your payroll data is critical for your business, but what about the age of your equipment and warranty

schedule? It may not be critical now, until you need to replace it or ask the manufacturer to repair it. The business/data

owner can help you decide how “critical” various data elements are that you need to protect.

 

STEP 2: DEVICE MANAGEMENT

Data protection can include protecting the data by preventing access to the device (via passwords or other authentication

methods) even while it is stored on a laptop or memory device. Ensure that any critical data stored on removable device

(memory stick, disk, hard drive, laptop, tape) is password protected. These devices and the data that resides on them can

be easily stolen and compromised. If the device is password protected, it will be harder to gain access to the data stored.

 

STEP 3: CYBER SAFE BUSINESS PRACTICES

Simple cyber safe business practices can help protect your data. Your employees are often your best defense in protecting

your data. They know the ins and outs of your business, when deliveries are made, who the suppliers are, who your critical

customers are, profit and loss data and many more unique business facts. Don’t let that information get leaked, stolen or

posted on social media.

 

STEP 4: HARDWARE AND SOFTWARE

  • Data protection is also about protecting the devices you use to store, manage and track your data. Here are some simple

tips to prevent data loss.

  • Hardware and software inventory life cycle status – do you know if your equipment is still supported by the manufacturer?

Have you downloaded the latest updates? Does the vendor still support the applications you are using for your business?

It is important to know where you stand in your inventory life cycle and whether it might be time to update your hardware

and software.  This is one of most overlooked cyber safe practices that criminals often use to gain access to your data.

  • Conduct regular maintenance and run virus scans, learn how to run a utility system that can diagnose your system for

problems. These utilities can prevent little problems from becoming big problems, and will keep you in business.

 

STEP 5: BACKUPS

Before you make changes to critical data, always make a duplicate. Even if you just made a backup yesterday, make another

and label it. If you or your employees create a backup on a removable drive, have the drive or memory device password

protected.

 

STEP 6: OFF-SITE STORAGE

Something you probably never thought of, but what happens if there is a fire at your facility and your only backup was on-site

and was lost in the fire? Keep a copy of your critical data offsite. If you use a managed service provider to store your data and

applications, ensure that they provide you the ability to recover your data if it is compromised at their site. Know what is in the

fine print before you sign the agreement. If they don’t provide a guarantee - find another provider. Another option - one service

provider may not be enough - you might need another provider in another region of the country to ensure your data is backed

up – based upon your needs for recovery.

 

Did you know…

Here is a set of cyber safe business practices that you can easily implement:

  • Advise employees to routinely save their work, sounds simple, but hours of work could be lost if they don’t think to stop

and save.

  • Never open email attachments by habit or click on links unless it is a secure site and you know where the email

originated.

  • Never allow employees to use memory sticks or disks from someone outside the company, unless someone has

scanned it first for viruses.

  • Keep your business operations private and instruct your employees about what can and cannot be posted on social

media. Adversaries can use facts posted on public sites to conduct social engineering scams to trick your employees and

compromise your operations.

  • Advise your employees to keep their passwords safe and secure and use our guide on how to create secure passwords.

 

Download a PDF of this fact sheet.

 

Still have questions, need help?

Contact us at our “Ask-an-Expert” service, web@thencss.org or visit us at the link below.

 

©2018 National Cybersecurity Society, All Rights Reserved

www.nationalcybersecuritysociety.org

 

JOIN THE NCSS

Become a member of The National Cybersecurity Society today and learn more about how to protect your business from a

cyber attack.

 

 

About The National Cybersecurity Society

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education, awareness

and advocacy to small businesses. The NCSS provides cybersecurity education tailored to the needs of the small business

owner; helps small businesses assess their cybersecurity risk; distributes threat information to business owners so that they

will be more knowledgeable about the threats facing their business; and provides advice on the type of services needed to

stay safe online.

NCSS small.png

Do you know what organizational assets you need to protect? Is it only your IT assets? 

Are you unclear where to start?

 

These are the first questions in developing an asset protection strategy. All that is needed is an understanding

of your business and some time to develop an outline.

 

RISK MANAGEMENT METHODOLOGY

The Carnegie Mellon Risk Management Methodology (RMM) (which the NCSS CARES questionnaire is based

upon) lists asset definition and management as the first step in a cyber secure business strategy. It is

recommended you identify the organizational assets (people, information, technology, facilities) and assign

responsibility of those assets in order to protect them appropriately.

 

Once organizational assets are defined, the next step is to define the relationship between these assets and the

high value services they support. It requires a process be established that examines and validates this relationship

through periodic reviews. Lastly, it requires your organization to maintain and sustain an inventory of these assets

and high value services. It is important to keep this information up to date and modified when events change.

 

 

STEP 1: INVENTORY

Inventory – create an inventory of your people – not just your employees, but your suppliers and partners; the data

you need to run your business; the technology assets you need (computers, servers – the entire infrastructure); and

the facilities needed to house and operate your business.

 

STEP 2: HIGH VALUE SERVICES

Listing of High Value Services – create a list of high value services that keep your business functioning – logistics,

financial, service delivery, assembly, manufacturing. Define what are the key services you need – those services that

if lost, delayed or compromised would impact your business.

 

STEP 3: MAPPING

Mapping – create a mapping of people, data, technology and facilities to the high value services they support. Define

the relationship between these assets and the high value services. Validate the relationship through periodic reviews.

As an example, if the supplier for your medical equipment changes, and this supplier has been identified as key

personnel, have you updated your mapping relationships? Did you review the contract with the new medical supplier

to determine if anything has changed that would affect your service delivery? Leveraging your people to take

responsibility for certain high value services and keeping the critical information current is key to protecting your assets.

 

STEP 4: INVENTORY PLAN

Inventory Plan – a plan is only useful if it is kept current and up-to-date. Schedule an annual inventory and mapping

exercise to ensure that the protection mechanisms you employ support valid assets. A good rule of thumb – once a year.

 

STEP 6: CONTINUITY PLAN

Continuity Plan – A sound business strategy includes continuity plans. For all your high value services that depend on

critical people, data, technology and facilities, you will need a contingency plan in place in the event any of these assets

is compromised.  See our “How-to-Guide” to develop a Continuity Plan.

RESOURCES NEEDED:

  • Inventory of Organizational People, Data, Technology, Facilities

  • Listing of High Value Services

  • Mapping

  • Inventory Plan

  • Continuity Plan

 

 

DID YOU KNOW?

 

THE NUMBER ONE PREVENTION METHOD TO COMBAT RANSOMWARE --- HAVE A BACKUP AND RECOVERY PLAN

 

Download a PDF of this fact sheet.

 

Still have questions, need help?

Contact us at our “Ask-an-Expert” service, web@thencss.org or visit us at the link below.

 

©2018 National Cybersecurity Society, All Rights Reserved

www.nationalcybersecuritysociety.org

 

JOIN THE NCSS

Become a member of The National Cybersecurity Society today and learn more about how to protect your business

from a cyber attack.

 

About The National Cybersecurity Society

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education,

awareness and advocacy to small businesses. The NCSS provides cybersecurity education tailored to the needs of

the small business owner; helps small businesses assess their cybersecurity risk; distributes threat information to

business owners so that they will be more knowledgeable about the threats facing their business; and provides advice

on the type of services needed to stay safe online.

NCSS small.png

Passwords, passwords, too many to remember… Ever wonder

how to create a safe and secure password that is impossible to crack?

 

STEP 1:

Imagination – we know you are busy and don’t have time to think up unique and creative passwords, so

here’s a suggestion:

 

Use a random word generator. Like the link below:

http://www.textfixer.com/tools/random-words.php

 

Pick 2-3 words add some numbers, unique characters and a capital letter – and you are ready to go!

 

Like this:  noble3$kitten72True – 19 characters!

 

STEP 2:

Safe storage – we know you can’t remember all these passwords, and you have a lot more important things

to remember to keep your business running. If you have to write them down, don’t store them in a file on

your computer!! Write them down and lock them up, just like you would for an extra set of your car or

warehouse keys, or lock combinations. These should be treated as any other “critical data” that needs to be

kept in a secure location.

 

There are commercial products to store passwords, such as KeePass and backup services such as SpiderOak

or Dropbox – all can be used to keep your password backed up and encrypted.

 

Did you know…

  • Longer the better – 10-20 characters – the longer the password, the harder it is for someone to crack

 

 

  • Don’t use words or phases that link to who you are, where you have lived – street, city you were born, date

     you were married, your business name, your business owner, kids names or birthdays

 

 

  • Change your password every three months or when prompted by the service you are using

 

  • Each password should only be use for one service. Don’t reuse passwords

 

  • Consider using a password manager – such as Dashlane or KeePass

 

Download a PDF of this fact sheet.

 

Still have questions, need help?

Contact us at our “Ask-an-Expert” service, web@thencss.org or visit us at the link below.

 

©2018 National Cybersecurity Society, All Rights Reserved

www.nationalcybersecuritysociety.org

 

JOIN THE NCSS

Become a member of The National Cybersecurity Society today and learn more about how to protect

your business from a cyber attack.

 

 

About The National Cybersecurity Society

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity

education, awareness and advocacy to small businesses. The NCSS provides cybersecurity education

tailored to the needs of the small business owner; helps small businesses assess their cybersecurity

risk; distributes threat information to business owners so that they will be more knowledgeable about

the threats facing their business; and provides advice on the type of services needed to stay safe online.

NCSS small.png

WHAT IS A WHITELIST AND A BLACKLIST?

Whitelisting and blacklisting are two methodologies to control access to websites, email, software

and IP addresses on networks.  Whitelisting denies access to all resources and only the “owner” can

allow access. Blacklisting allows access to all with the provision that only certain items are denied.

 

FACT 1: WHITELISTING

Whitelisting has advantages in that you control access to the website or virtual resource you want

your business to use, however, is less dynamic and more restrictive in terms of ease of use and

versatility. This is a control mechanism where you deny access to all resources by default then allow

access to resources by name. Think of your home, where only you and your family can get access

the front door. Everyone in your family would have a front door key, but some individuals don’t have

keys to every door. You may have a shed out back that only you have they key because dangerous

chemicals are stored there. The disadvantage is that not everyone in your family has open access to

the shed and would have to ask permission to get something out. Now, that may work for a small family,

but would be unworkable unless the number of employees requiring access is small. This type of access

control is useful for financial or personnel records, where a business might have only 2-5 employees

who access these files, software or websites.

 

FACT 2: BLACKLISTING

Blacklisting is advantageous in that it allows free and open access to any email, website, IP address or

software as long as it’s not a security risk. This is the concept that all web traffic is allowed, and certain

items are disallowed by name or circumstance (aka security risk).

 

Download a PDF of this fact sheet.

 

Still have questions, need help?

Contact us at our “Ask-an-Expert” service, web@thencss.org or visit us at the link below.

 

©2018 National Cybersecurity Society, All Rights Reserved

www.nationalcybersecuritysociety.org

 

JOIN THE NCSS

Become a member of The National Cybersecurity Society today and learn more about how to protect

your business from a cyber attack.

 

 

About The National Cybersecurity Society

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity

education, awareness and advocacy to small businesses. The NCSS provides cybersecurity education

tailored to the needs of the small business owner; helps small businesses assess their cybersecurity

risk; distributes threat information to business owners so that they will be more knowledgeable about

the threats facing their business; and provides advice on the type of services needed to stay safe online.

NCSS small.png

An IT vulnerability assessment is a process to identify weaknesses within your computer system

and infrastructure. A vulnerability assessment will rank and quantify the vulnerabilities found based

on security risk. Common types of vulnerabilities include flaws in software code, poor implementations,

and/or outdated software. Hackers look to exploit these weaknesses to gain access to your critical data.

Many security breaches occur because system patches were not kept up to date. Vulnerability

assessments scan the IT environment to identify unpatched software and unsecure configurations. A

hacker will use similar tools to identify the same weaknesses. A vulnerability assessment will allow you

to discover them, before they do.

 

FACT 1: TYPES OF SCANS

External scans – An external scan looks at your computer system or IP address from the outside to

determine what vulnerabilities are publically facing. This type of scan looks for holes in your network firewall(s)

and any open ports that can be used to “exfil” or steal data.

 

Internal scans – An internal scan looks internally at your computer system(s) to identify what patches or

unsecure configurations exist.

 

FACT 2: PRIORITIZING REMEDIATION

After the scans are complete, your security provider will provide a list of remediation activities based upon risk.
Vulnerabilities will be categorized as critical, high, medium or low, based upon the risk as defined by the

National Vulnerability Database (NVD) and the Common Vulnerabilities and Exposures (CVE). The National

Institute of Standards and Technology in partnership with the MITRE Corporation maintains the NVD and CVE

– and can be found at http://cve.mitre.org/cve/cve.htmlhttp://cve.mitre.org/cve/cve.html.  The website provides a

description of the weakness and resources to remediate the vulnerability. When remediating vulnerabilities,

correct the more severe vulnerabilities on your most valuable resources.

 


FACT 3: VULNERABILITY SCANNING TOOLS

There is several vulnerability scanning tools on the market – including many free scanning tools. Many are industry

leaders in the scanning business and can give your business the insights needed to correct any weaknesses found.

Vulnerability scans should be completed annually (some do so continuously), as new vulnerabilities are continually

identified. If an IT security vendor supports your business, ask the vendor the status of scanning and how the work

is prioritized against other clients. These vendors may remediate issues based upon their schedule, not yours, and

nor do they understand which assets are most critical for your business.

 

FACT 4: RESOURCES

There are several free scanning tools on the market – one option is OpenVAS. OpenVAS is a framework of free

services and tools of vulnerability scanning and vulnerability management solutions. The framework is part of the

Greenbone Networks’ commercial vulnerability management solution – visit www.openvas.org.  Another option is to

ensure your security provider is conducting scans of your infrastructure as part of the managed security services they

offer.

 

COMMON HACKS

 

HERE ARE SOME COMMON HACKS THAT EXPLOIT CYBER VULNERABILITIES:

 

  • WannaCry – exploited unpatched software
  • Equifax – exploited flaw in software code
  • Shellshock – injection vulnerabilities; exploits websites
  • Kermuri Water Company – exploited the company’s use of out of date software

 

Download a PDF of this fact sheet.

 

Still have questions, need help?

Contact us at our “Ask-an-Expert” service, web@thencss.org or visit us at the link below.

 

©2018 National Cybersecurity Society, All Rights Reserved

www.nationalcybersecuritysociety.org

 

JOIN THE NCSS

Become a member of The National Cybersecurity Society today and learn more about how to

protect your business from a cyber attack.

 

 

About The National Cybersecurity Society

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity

education, awareness and advocacy to small businesses. The NCSS provides cybersecurity

education tailored to the needs of the small business owner; helps small businesses assess their

cybersecurity risk; distributes threat information to business owners so that they will be more

knowledgeable about the threats facing their business; and provides advice on the type of services

needed to stay safe online.

NCSS small.png

 

SHOULD MY BUSINESS SHARE CYBER INCIDENT
DATA with an ISAC or ISAO?

As a business owner, you should prepare for when a cyber incident will occur. Your business is not immune

from an event, and successful resilient businesses have a plan in place to respond effectively.  One tool to

respond is to share what happened with an ISAC/ISAO.

 

ISACs AND ISAOs

Information Sharing and Analysis Centers (ISACs) are a type of Information Sharing and Analysis Organization

(ISAO) - which are communities of interest whose members voluntarily share cybersecurity information with

each other. A good analogy for an ISAO is the neighborhood watch model. In a neighborhood watch, communities

build trust, and share information and best practices with each other to increase their individual and collective

security. All neighborhood watches share a foundational idea that bringing communities together promotes an

increased quality of life and reduces crime.

 

An ISAO serves the same purpose, connecting your business to a larger community, which may be in the same

industry, or region that proactively share information on cyber threats and incidents, as well as best practices.

Through coming together, ISAOs help build trust relationships among their membership; enhance understanding

of cyber threats and ways to address vulnerabilities in your organization that could be affected; and help you

understand how to respond to a cyber incident at your organization. The overall affect shares a foundational idea

as a neighborhood watch – that through these community efforts the quality of each ISAO member’s condition

improves, and cybercrimes can be prevented. The National Cybersecurity Society is an ISAO for small business

and is connected to other ISAOs in industries and regions across the United States. To learn more about the

benefits of an ISAO, see: https://www.isao.org/about/.

 

Did you know….

   Becoming a member of the NCSS automatically enrolls your business in an ISAO and affords your

organization protection from liability and litigation matters as long as the incident was reported via the

NCSS portal.

   NCSS reports the incident anonymously to the Department of Homeland Security to enhance

prevention and protection activities.

   Yes, you should share with NCSS!

 

Download a PDF of this fact sheet.

 

Still have questions, need help?

Contact us at our “Ask-an-Expert” service, web@thencss.org or visit us at the link below.

 

©2018 National Cybersecurity Society, All Rights Reserved

www.nationalcybersecuritysociety.org

 

JOIN THE NCSS

Become a member of The National Cybersecurity Society today and learn more about how to

protect your business from a cyber attack.

 

 

About The National Cybersecurity Society

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity

education, awareness and advocacy to small businesses. The NCSS provides cybersecurity

education tailored to the needs of the small business owner; helps small businesses assess their

cybersecurity risk; distributes threat information to business owners so that they will be more

knowledgeable about the threats facing their business; and provides advice on the type of services

needed to stay safe online.

NCSS small.png

CYBER RISK

 

WHAT ARE THE CYBER RISKS TO MY BUSINESS?

 

Cyber risk can be defined as the risk of financial loss, disruption or damage to the reputation of an

organization through a failure of its information technology systems. Information technology has fueled

rapid growth to small businesses, which can help you -- reach more customers, tap into new markets,

grow faster, and create more jobs. With that increased reliance on information technology and access

to data, new risks to your businesses’ financial, customer data and reputation can occur.

 

The process of cyber risk assessment includes identifying your organization’s important data (financial

data, customer data, and intellectual property), potential vulnerabilities for the systems that store or handle

that data, and the potential impacts to your organization associated with a loss of confidence, integrity,

or availability to that data..

 

FACT 1: ASSESSING CYBER RISK

Assessing and managing cyber risk is no different than managing other types of risk. If you were to manage

the risk to your business from flood damage you would -- identify the most important assets that could be

affected; consider how vulnerable those assets would be to a flood; consider the likelihood of flooding in the

area; and determine what responses make the most sense based on the corresponding costs of responding

to that risk. (Eg: invest in measures to protect those assets, move the assets, transfer the risk through insurance,

or accept the risk.)

 

FACT 2: RESOURCES

There are many available resources to assess cyber risk. How extensive to analyze risk – is based on a

range of factors --- business priorities, regulatory standards or cost considerations. The National

Cybersecurity Society provides a free survey that helps small businesses assess cyber risk called NCSS

CARES (Cybersecurity Assessment and Resiliency Evaluation for Small Business). The assessment

methodology was adapted from two main sources: The NIST Cybersecurity Framework and Carnegie

Mellon’s Software Engineering Institute, CERT, Resilience Management Model.

 

FACT 3: NCSS CARES

NCSS CARES measures small business risk based upon the level of maturity of the business’ organizational

cybersecurity and resiliency processes as defined by CMMI. CMMI (Capability Maturity Model Integration) is

a process level improvement training and appraisal program, developed by Carnegie Mellon University.

NCSS CARES can be found at: https://nationalcybersecuritysociety.org  

 

FACT 4: INSURANCE

Assessing your cyber risk is an important consideration for any organization’s overall evaluation of risks. Many

insurance providers are using an assessment to set rates for policies; therefore, an understanding of your risks

and how your organization manages risk are a critical steps in ensuring your business is resilient. Begin now

by assessing your risk through the NCSS CARES.

 

FACT 5: VENDOR AGREEMENTS

The American Bar Association is recommending all vendor agreements include a section on assessing the risks

of an organization’s partners. NIST 800-171, Protecting Critical Unclassified Information in Non-federal Systems,

is requiring contactors who do work with the government assess their risk and provide an affirmation statement

that they have complied with addressing and mitigating known risks.

 

FACT 6: NIST CYBERSECURITY FRAMEWORK

The NCSS has mapped NCSS questions in the survey, NCSS CARES, to the cybersecurity framework. The

mapping can be found elsewhere on our site.

 

 

DID YOU KNOW…

HERE ARE SOME RISKS TO CONSIDER:

 

  • Reputational

  • BYOD

  • Internet of Things

  • Lack of employee awareness/training

  • Social Engineering

  • Weak Passwords and the lack of 2 Factor Authentication

  • Unsecure website

  • Lack of data retention policy

  • Limited to no backups of critical data/systems

 

Download a PDF of this fact sheet.

 

Still have questions, need help?

Contact us at our “Ask-an-Expert” service, web@thencss.org or visit us at the link below.

 

©2018 National Cybersecurity Society, All Rights Reserved

www.nationalcybersecuritysociety.org

 

JOIN THE NCSS

Become a member of The National Cybersecurity Society today and learn more about how to

protect your business from a cyber attack.

 

 

About The National Cybersecurity Society

 

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education,

awareness and advocacy to small businesses. The NCSS provides cybersecurity education tailored to the needs

of the small business owner; helps small businesses assess their cybersecurity risk; distributes threat

information to business owners so that they will be more knowledgeable about the threats facing their business;

and provides advice on the type of services needed to stay safe online.

NCSS small.png

 

CYBER CRIME

 

You’ve been hacked – do you know who to call?

 

Cybercrime can be particularly difficult to investigate and prosecute because it often crosses

legal jurisdictions and even international boundaries. According to the 2015 Verizon Data Breach

Report, intrusions go undetected more than 200 days from the actual event. Some criminals

disband one criminal operation — only to start up a new activity with a new tactic — before an

incident even comes to the attention of the authorities. Once you believe you have been the victim

of a cybercrime, it’s important to report it and to protect the evidence.

 

FACT 1: WHO TO CONTACT

 

Seek Legal Advice. If you are a business owner, seek legal advice to guide you in addressing
whatever liability and reporting requirements govern the breach. Protecting sensitive employee

data, health data, or credit card data have various governing regulations and notification requirements.

 

Local law enforcement. Even if you have been the target of a multi- jurisdictional cybercrime, call

your local law enforcement agency (either police department or sheriff’s office). They have an

obligation to help you, take a formal report, and make referrals to other agencies. Report your

situation as soon as you find out about it. Some local agencies have detectives or departments

that focus specifically on cybercrime.

 

IC 3. The Internet Crime Complaint Center (IC3) will thoroughly review and evaluate your complaint

and refer it to the appropriate federal, state, local, or international law enforcement or regulatory

agency that has jurisdiction over the matter. IC3 is a partnership between the Federal Bureau of

Investigation and the National White Collar Crime Center (funded, in part, by the Department of

Justice’s Bureau of Justice Assistance). Complaints may be filed online at

http://www.ic3.gov/default.aspx.

 

FACT 2: WHAT TO COLLECT

 

Even though you may not be asked to provide evidence when you first report the cybercrime, it

is very important to keep any evidence you may have related to your complaint. Keep items in a

safe location in the event you are requested to provide them. Evidence may include:

 

  • Canceled checks and copies of bank statements
  • Certified or other mail receipts
  • Credit card receipts
  • Envelopes (if you received items via FedEx, UPS, or U.S. Mail)
  • Faxes
  • Log files, if available, with date, time and time zone
  • Messages from Facebook, Linkedin, Twitter or other social networking sites
  • Money order receipts
  • Pamphlets or brochures
  • Phone bills
  • Printed or preferably electronic copies of emails (if printed, include full email header information)
  • Printed or preferably electronic copies of web pages (to prove web defacement)
  • Wire receipts

 

And most importantly, don’t shut down your computer or erase any files. Law enforcement

and/or a computer forensic specialist will need the evidence stored on your hard drive and memory

storage locations.

 

FACT 3: MALWARE

 

Many cybercrimes start with malware—short for “malicious software.” Malware includes viruses and

spyware that get installed on your computer, phone, or mobile device without your consent—you may

have downloaded the malware without even realizing it!  These programs can cause your device to

crash and can be used to monitor and control your online activity. Criminals use malware to steal

personal information and commit fraud. If you think your computer has malware, you can file a complaint
with the Federal Trade Commission at www.ftc.gov/complaint.  Often malware is embedded in links to

emails or attachments.  Don’t open an attachment from someone you don’t know!

 

 

DID YOU KNOW…

THE MOST PREVELANT CYBER CRIMES FOR 2017:

 

  • Ransomware
  • Business Email Compromise
  • Pwned
    Passwords
  • Voter Registration Systems
  • Data
    Breaches
  • Identity Theft

 

Download a PDF of this fact sheet.

 

Still have questions, need help?

Contact us at our “Ask-an-Expert” service, web@thencss.org or visit us at the link below.

 

©2018 National Cybersecurity Society, All Rights Reserved

www.nationalcybersecuritysociety.org

 

JOIN THE NCSS

Become a member of The National Cybersecurity Society today and learn more about how to protect your business from a cyber attack.

 

 

About The National Cybersecurity Society

 

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education,

awareness and advocacy to small businesses.  The NCSS provides cybersecurity education tailored to the needs of

the small business owner; helps small businesses assess their cybersecurity risk;  distributes threat information to

business owners so that they will be more knowledgeable about the threats facing their business; and provides advice

on the type of services needed to stay safe online.

NCSS small.png

HOW WILL LEAST PRIVILEGE PROTECT MY BUSINESS?

 

Least privilege is defined as giving a user only those privileges that are essential to perform his/her intended

function. All companies, regardless of how large or small they are, must manage the access employees

have to corporate assets. It’s very easy for small companies to fall into the trap of thinking that they can just

give everyone access to everything. It’s quick, easy, and requires no maintenance as people fulfill changing

roles within the company. However, it’s a security risk because people can then perform tasks that they were

not intended to perform or can access data that they were not intended to see.

 

Part of a company’s cybersecurity approach includes limiting access based on each employee’s job function.

For example, Kevin is a human resources manager and Beth is a system developer. Kevin will need access to

employee records and the Personally Identifiable Information (PII) that is associated with those records. Beth

will need access to developer toolkits and source code. As a human resource manager, Kevin will never need

access to developer toolkits and source code; likewise, Beth’s role as a system developer will never require

her to access human resource records.

 

FACT 1: LIMITING EXPOSURE

Least privilege helps companies reduce insider threats, maintain confidentiality, and increase their overall security

posture. Without least privilege, Beth would have access to human resource records and could view the
sensitive records of every employee. If Beth had any bad intentions, she could use that information to steal other
employee’s identities. In turn, if Kevin has access to system development tools and source code, he could add a

virus to the system or take the code to a competitor. Least privilege eliminates both of these situations by not giving
employees access to systems and data that they don’t need.

 

 

DID YOU KNOW…

  • Everyone in the organization doesnt need access to everything.
  • Create defined roles based on job functions and assign access to systems and data based on the job the

employee performs.

  • Review access permissions on a regular basis.
  • Insider threat is defined as someone within the organization that has access to systems and data that could harm

the organization either intentionally or unintentionally. Limiting access through least privilege helps protect your

company from this type of threat.

 

Still have questions, need help?

Contact us at our “Ask-an-Expert” service, web@thencss.org or visit us at the link below.

www.nationalcybersecuritysociety.org

 

© 2018 National Cybersecurity Society, All Rights Reserved.

 

JOIN NCSS

Become a member of The National Cybersecurity Society today and learn more about how to protect your business from a

cyber attack.

 

Download a PDF of this Fact Sheet.

 

About The National Cybersecurity Society

 

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education, awareness and advocacy to small businesses.  The NCSS provides cybersecurity education tailored to the needs of the small business owner; helps small businesses assess their cybersecurity risk; distributes threat information to business owners so that they will be more knowledgeable about the threats facing their business; and provides advice on the type of services needed to stay safe online.

Thumb.pngThe National Cybersecurity Society (NCSS) has prepared “Business Identity Theft In The U.S.", to lay the foundation for an effective and sustainable national program to assist victims of business identity theft. The study presented in this report analyzes the current ecosystem of participants – federal, state and the private sector; defines types of business identity theft; the mechanisms in place to define the identity of the business; how vulnerabilities are exploited; and recommendations to improve victim resources.

 

Click here to download the guide: Business Identity Theft in the U.S. (PDF)

NCSS small.png

 

In October 2017, the NCSS was selected by the Identity Theft Resource Center (ITRC), under the auspices of the Department of Justice, to lead a national coalition on business identity theft.

 

Through the grant provided by ITRC, the NCSS completed a study of the crime and recently published the findings in “Business Identity Theft in the U.S.”, The report is available on our website. This fact sheet defines business identity theft and the main types of this insidious crime.

 

Business Identity Theft is defined as:

 

“identity theft committed with the intent to defraud or hurt a business by creating, using or attempting to use a business’s identifying information without authority”

 

The types of business identity theft are:

 

  • Financial Fraud – obtaining new lines of credit, loans or credit cards in the business’s name; and/or filing fraudulent UCCs,
  • Tax Fraud – filing fraudulent returns using tax subsidies and/or obtaining refunds either through the federal and/or state governments,
  • Website Defacement – manipulating a business’s identity (website) on the web,
  • Trademark Ransom – registering the business name or logo as an official trademark and demanding a ransom for release of the trademarked business name or logo.

 

Information about your business is publicly available at the state registry office and with Dun & Bradstreet. These open records are available to facilitate trade and financial transactions. However, thieves utilize these open records to find businesses with good credit to steal. By accessing online state records, they change information about your business – such as registered agent, owners, address, and revenue. This new business information is then shared with the credit reporting agencies. Once an altered identity is created, the criminal uses this information to make online applications for credit cards and lines of credit. A business owner only knows this has happened when someone calls due to nonpayment.

 

Start by protecting your business identity through establishing a user name and password at the state registry and signing up for email alerts so you may be notified in the event a record has been changed.

 

Other measures you can take:

1) officially record your business name and logo as a trademark,

2) monitor your website for malicious code that could redirect your customers to nefarious websites that look like your own, and

3) monitor your credit regularly.

 

© 2018 National Cybersecurity Society, All Rights Reserved

http://www.nationalcybersecuritysociety.org/

 

Click here to download a PDF of this article.

 

02.Biz ID Theft defined.jpg

 

About The National Cybersecurity Society

 

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education, awareness and advocacy to small businesses.  The NCSS provides cybersecurity education tailored to the needs of the small business owner; helps small businesses assess their cybersecurity risk; distributes threat information to business owners so that they will be more knowledgeable about the threats facing their business; and provides advice on the type of services needed to stay safe online.

NCSS small.png

 

Tips to Protect Business Identity

Business identity theft is more complex than individual identity theft.

The challenge businesses face is that the majority of the elements that comprise a business identity are publicly available.

 

Business Information. Data used to manage a business’s identity contains public, non-sensitive data. Elements of business identity data are: fictitious name, or “doing business name”, DBA, owner’s name, legal entity type, address, county, state, registered agent, date of formation, subsidies, and website address (url). Protecting this data involves knowing where it is stored and learning how to control access to it. Criminals easily access these data repositories and change the identifying information to support their heist.

 

State Registry Office. First, it is important to manage the data held with the state registry office(s). Know which states you are registered in to do business. Ensure that access to the data about your business is locked down with a user name and a strong password. Change your password every 3 months. Ensure your password is at least 16 characters or longer or use a password manager. Additionally, some states offer the ability to sign up for automated alerts – a great way to be notified if a change has been made, and if the state offers two factor authentication, sign up for this protection as well.

 

Business Credit File. The Credit Reporting Agencies (CRAs) recommend that businesses be proactive in monitoring and updating their business credit file and notify them of any potential errors. Each of the three CRAs – Dun & Bradstreet (D&B), Equifax and Experian collect different data about your business. Additionally, the credit rating scales are also different. See our report for a full listing of the data collected. The key to manage your credit is to monitor your D&B business file. This file is accessible and free. As a business owner, you can go in and correct any erroneous data, as well as track whether someone might have gone in and changed it. Any changes to the D&B file are shared with the other CRAs.

 

If you believe your company’s data in the business file has been changed by an unauthorized user, contact Dun and Bradstreet at 1- 866-895-7262, mailto:highriskandfraudinsight@dnb.com The other CRAs require you to register to have your credit file monitored, whereas D&B allows you to do that for free.

 

During our review, D&B informed us they will provide businesses recovery support for an identity theft – offering research support, flagging the account as “stop distribution” until the file is corrected, and assisting in resolving any inaccurate data.

 

CRA Contact Information for Identity Theft are:

Dun & Bradstreet: 1-866-895-7262

Experian: 1-888-397-3742

Equifax: 1-800-685-5000, option 4.

 

Website. Managing your identity on the web, is an important aspect of your business, especially if your business depends on e-commerce through your website. Recommendations for a safe and secure website are:

 

  • Conduct regular backups for your site; at least every day;
  • Ensure your website is routinely scanned for malware and/or viruses;
  • Ensure your site is protected by a web application firewall;
  • Ensure your site transactions are secure and your website is listed as https:

 

Trademark. Officially register your firm’s name and logo as a trademark. Many state offices provide this service at a nominal cost.

 

EIN/SSN. Protect your business’s EIN (Employer Identification Number from disclosure, and the owner’s SSN.

 

Training. Train your employees not to release information about your business to callers; or post business information on social media or the web. Have periodic phishing training for your employees.

 

Partners. Verify the financial/solvency position of your potential and existing business partners before you share critical business data.  D&B provides this service for a nominal fee. Require your partners to sign a partnership agreement that requires them to protect your critical business data.

 

 

© 2018 National Cybersecurity Society, All Rights Reserved

www.nationalcybersecuritysociety.org

 

Click here to download a PDF of this article.

04.FACT - TIPS TO PROTECT BIZ ID FINAL 81318.jpg

About The National Cybersecurity Society

 

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education, awareness and advocacy to small businesses. The NCSS provides cybersecurity education tailored to the needs of the small business owner; helps small businesses assess their cybersecurity risk; distributes threat information to business owners so that they will be more knowledgeable about the threats facing their business; and provides advice on the type of services needed to stay safe online.

NCSS small.png

Business Identity Theft Scams

 

In order to protect your business from identity theft, it is useful to understand how criminals use corporate identities to steal or compromise your business. Small businesses work years to build a strong credit rating in order to facilitate transactions between partners and to manage cash flow. Your credit rating is probably your most coveted asset.

 

Business Identity Theft is defined as:

 

“identity theft committed with the intent to defraud or hurt a business by creating, using or attempting to use a business’s identifying information without authority.”

 

Notable scams include:

 

  • In Tennessee, criminals created phony websites that impersonated the identity of legitimate car dealerships and advertised low prices in order to scam people into making deposits for vehicles that didn’t exist (1);

 

  • In Nevada, the identity of a business was stolen after a criminal changed the name of the businesses’ officers filed with the Secretary of State’s office, then sold the business to a third party (1);

 

  • In California, criminals rented office space in the same building as a legitimate business, ordered corporate credit cards and retail merchandise in the business’s name and then disappeared by the time the business realized its identity had been stolen (1);

 

  • Home Depot and Lowes - millions of dollars in merchandise were stolen by criminals posing as an illegitimate business;

 

  • In Canada, an identity thief falsified company documents to make himself the CEO, then sold the company-owned building;

 

  • Thieves mirrored the physical address of a business to obtain credit, loans, cash and other goods or services in the business’s name;

 

  • Criminals targeted an inactive business and stole the business’s identity to obtain goods and services. Then, the family of the deceased owner received notices to pay the debts created through the crime;

 

  • Criminals have stolen EINs to create false W-2s or 1099s to fraudulently file for benefits such as fuel and farm tax credits.

 

Dun and Bradstreet offers free support to a business that believes their identity has been stolen. To request support and report a theft, businesses can call Dun & Bradstreet at 1-866-895-7262, mailto:highriskandfraudinsight@dnb.com .

 

The three credit reporting agencies – Dun & Bradstreet, Experian and Equifax will provide a free copy of a business’s credit rating, if the company has been denied credit through fraudulent activity or believe they have been a victim of identity theft.  Business owners can reach:

 

Equifax at 1-800-685-5000, option 4, mailto:cust.serv@equifax.com ;

Experian at 1-888-397-3742, mailto:businessrecordsvictimassistance@experian.com

 

1 | National Association of Secretaries of State, 2012, Developing State Solutions to Business Identity Theft.

 

© 2018 National Cybersecurity Society, All Rights Reserved

http://www.nationalcybersecuritysociety.org/

 

Click here to download a PDF of this article.

03.Biz ID Theft SCAMS.jpg

 

About The National Cybersecurity Society

 

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education, awareness and advocacy to small businesses.  The NCSS provides cybersecurity education tailored to the needs of the small business owner; helps small businesses assess their cybersecurity risk; distributes threat information to business owners so that they will be more knowledgeable about the threats facing their business; and provides advice on the type of services needed to stay safe online.

Filter Article

By tag: